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O . Abstract. We study the automatic synthesis of fair non-repudiation protocols, a 

■ class of fair exchange protocols, used for digital contract signing. First, we show 
| how to specify the objectives of the participating agents and the trusted third party 

(TTP) as path formulas in LTL and prove that the satisfaction of these objectives 
imply fairness; a property required of fair exchange protocols. We then show that 
weak (co-operative) co- synthesis and classical (strictly competitive) co-synthesis fail, 

■ whereas assume- guarantee synthesis (AGS) succeeds. We demonstrate the success of 
assume-guarantee synthesis as follows: (a) any solution of assume-guarantee synthe- 
sis is attack-free; no subset of participants can violate the objectives of the other 
participants; (b) the Asokan-Shoup-Waidner (ASW) certified mail protocol that has 
known vulnerabilities is not a solution of AGS; (c) the Kremer-Markowitch (KM) 
non-repudiation protocol is a solution of AGS; and (d) AGS presents a new and sym- 
metric fair non-repudiation protocol that is attack-free. To our knowledge this is the 
first application of synthesis to fair non-repudiation protocols, and our results show 

' how synthesis can both automatically discover vulnerabilities in protocols and gener- 

Si? ' ate correct protocols. The solution to assume-guarantee synthesis can be computed 

, efficiently as the secure equilibrium solution of three-player graph games. 

^ ■ 1 Introduction 



X 



Digital contract signing. The traditional paper-based contract signing mechanism in- 
volves two participants with an intent to sign a piece of contractual text, that is typically in 
front of them. In this case, either both of them agree and sign the contract or they do not. 
The mechanism is "fair" to both participants in that it docs not afford either participant an 
unfair "advantage" over the other. In digital contract signing, ubiquitous in the internet era, 
an originator sends her intent to sign a contractual text to a recipient. Over the course of 
a set of messages, they then proceed to exchange their actual signatures on the contract. In 
this case, it is in general difficult to ensure fairness as one of the two participants gains an 
advantage over the other, during the course of the exchange. If the participants do not trust 
each other, then neither wants to sign the contract first and the one that signs it first may 
never get a reciprocal signature from the other participant. Moreover, as these contracts are 
typically signed over asynchronous networks, the communication channels may provide no 
guarantees on message delivery. The same situation arises in other related areas, such as fair 
exchange and certified email. 

Protocols for digital contract signing. Many protocols have been designed to facilitate 
the exchange of digital signatures. The earliest exchange protocols were probabilistic. Partic- 
ipants transmit successive bits of information, under the expectation that both participants 
have similar computation power to detect dishonest behavior and stop participating in the 



protocol. These protocols are impractical as the number of messages exchanged may be very 
large, and both participants having similar computation power may not be realistic. Even 
and Yacobi [12] first showed that no deterministic contract signing protocol can be realized 
without the involvement of a third party arbitrator who is trusted by all participants. This 
was formalized as an impossibility result in [21], where the authors show that fair exchange 
is impossible without a trusted third party (TTP) for non-repudiation protocols. A simple 
protocol with a TTP has a TTP collect all signatures and then distribute them to the par- 
ticipants. But this is inefficient as it involves an online TTP to facilitate every exchange, 
easily creating a bottleneck at the site of the TTP. This has lead to the development of 
optimistic protocols, where two participants exchange their signatures without involving a 
TTP, calling upon the TTP to adjudicate only when one of the two participants is dishonest. 
These protocols are called fair non-repudiation protocols with offline TTP. 

Fair non-repudiation protocols. A fair non-repudiation protocol is therefore a contract 
signing protocol, falling under the category of fair exchange protocols, that ensures that 
at the end of the exchange of signatures over a network, neither participant can deny hav- 
ing participated in the protocol. A non-repudiation protocol, upon successful termination, 
provides each participant evidence of commitment to a contract that cannot be repudiated 
by the other participant. A non-repudiation of origin (NRO) provides the recipient in an 
exchange, the ability to present to an adjudicator, evidence of the senders commitment to 
a contract. A non-repudiation of receipt (NRR) provides the sender in an exchange, the 
ability to present to an adjudicator, evidence of the recipient's commitment to a contract. 
An exchange protocol should satisfy the following informal requirements [19, 13]: 

1. Fairness. The communication channels quality being fixed, at the end of the exchange 
protocol run, either all involved parties obtain their expected items or none (even a part) 
of the information to be exchanged with respect to the missing items is received. 

2. Abuse- freeness. It is impossible for a single entity at any point in the protocol to be able 
to prove to an outside party that she has the power to terminate (abort) or successfully 
complete the protocol. 

3. Timeliness. The communication channels quality being fixed, the parties always have 
the ability to reach, in a finite amount of time, a point in the protocol where they can 
stop the protocol while preserving fairness. 

In addition to the above properties, a fair non-repudiation protocol is also expected 
to satisfy the following requirements: (a) Viability. Independently of the communication 
channels quality, there exists an execution of the protocol, where the exchange succeeds, (b) 
Non-repudiability. It is impossible for a single entity, after the execution of the protocol, to 
deny having participated in a part or the whole of the communication. 

Existing protocols. Some of the existing protocols in this category are the Zhou-Gollmann 
(ZG) protocol [33], the Asokan-Shoup-Waidncr (ASW) protocol [4], the Garay-Jakobsson- 
MacKcnzic (GJM) protocol [13] and the Kremer-Markowitch (KM) protocol [20]. Non- 
repudiation protocols are difficult to design in general [32, 28, 19, 14, 16] and much literature 
covers the design and verification of these protocols. While some of the literature covers 
the discovery of vulnerabilities in these protocols based on the content of the exchanged 
messages, others have tried to find attacks based on the sequences of messages that can be 
exchanged, based on the rules of the protocols. However, there is no work that focuses on 
automatically obtaining correct solutions of these subtle and hard to design protocols. 

Our contributions. We show that the classical synthesis formulations that are strictly 
competitive are inadequate for synthesizing these protocols and that newer conditionally 



competitive formulations arc more appropriate. To our knowledge this is the first applica- 
tion of game-theoretic controller synthesis to security protocols. Synthesis has many advan- 
tages over model checking. While model checking finds specific vulnerabilities for a designed 
protocol, the counter-examples in synthesis are strategies (or refinements) that exhibit vul- 
nerabilities against a set of protocol realizations. Moreover, impossibility results such as 
failure to realize non-repudiation protocols without a TTP cannot be deduced with model 
checking, whereas such results can be deduced in a synthesis framework, as we show in this 
paper. Our contributions are as follows: 

1. We present the formal objectives of the participants and the trusted third party as path 
formulas in Linear Temporal Logic (LTL) and prove that satisfaction of the objectives 
imply fairness of the protocols (for syntax, semantics and a description of LTL see [23, 
18]). The timeliness property is also satisfied easily. The precise formalization of protocol 
requirements as LTL path formulas is a basic pre-requisite for synthesis. 

2. We show that classical (strictly competitive) co-synthesis and weak (co-operative) co- 
synthesis fail, whereas assume-guarantee (conditionally competitive) co-synthesis [9] suc- 
ceeds. 

3. We show that all solutions in the set Pags of assume-guarantee solutions are attack- 
free, i.e., any solution in Pags prevents malicious participants from gaining an unfair 
advantage. 

4. We show that the ASW certified mail protocol is not in Pags, due to known vulner- 
abilities that could have been automatically discovered. The GJM protocol is also not 
in Pags as it compromises our objective for the TTP, while providing fairness and 
abuse-freeness to the agents. The KM protocol is in Pags and it follows that it could 
have been automatically generated by formalizing the problem of protocol design as a 
synthesis problem. 

5. The ASW, GJM and the KM protocol are not symmetric as they do not allow the recip- 
ient to abort the protocol. From our analysis of the refinements in Pags we construct a 
new and symmetric fair non-repudiation protocol that provides not just the originator 
but also the recipient in an exchange, the ability to abort the protocol. Given that the 
TTP satisfies certain constraints on her behavior, such that her objective is satisfied, we 
show that the symmetric protocol is attack-free. 

6. Our results provide a game-theoretic justification of the need for a trusted third party. 
This gives an alternative justification of the impossibility results of [12, 21]. 

It was shown in [9] that the solutions of assume-guarantee synthesis can be obtained through 
the solution of secure equilibria [10] in graph games. Applying the results of [9], given our 
objectives, we show that for fair non-repudiation protocols, the solutions can be obtained in 
quadratic time. 

Related works. The formal verification of fair exchange protocols uses model checking 
to verify a set of protocol objectives specified in a suitable temporal logic. The work of 
Shmatikov and Mitchell [28] uses the finite state tool Mur</3 to model the participants in a 
protocol together with an intruder model, to check a set of safety properties by state space 
exploration. They expose a number of vulnerabilities that may lead to replay attacks in both 
the ASW protocol and the GJM protocol. Zhou et al., show the use of belief logics to verify 
non-repudiation protocols [34]. The works [15, 14, 16, 7] use game theoretic models and the 
logic ATL to formally specify fairness, abuse-freeness and timeliness, that they verify using 
the tool MOCHA [2]. Independently, in [6] the authors use a game-based approach, with 
a set-rewriting technique, to verify fair exchange protocols. However, these works focus on 
verification and not on the synthesis of protocols. Armando ct al., [3] use set- rewriting with 



LTL to verify the ASW protocol and report a new attack on the protocol. Louridas in [17] 
provides several insightful guidelines for the design of non-repudiation protocols. 

The notion of weak or co-operative co-synthesis was introduced in [11], classical or strictly 
competitive co-synthesis was studied in [24, 26] and assume-guarantee or conditionally com- 
petitive co-synthesis was introduced in [9]. But none of these works consider security pro- 
tocols. The first effort at synthesizing security protocols is [22,29] and is related to the 
automatic generation of mutual authentication protocols, where the authors use iterative 
deepening with a cost function to generate correct protocols that minimize cost; they do not 
address digital contract signing. In [27], the authors describe a prototype synthesis tool that 
uses the BAN [5] logic to describe protocol goals with extensions to describe protocol rules 
that, when combined with a proof system, can be used to generate protocols satisfying those 
goals. The authors use their approach to synthesize the Needham-Schroeder protocol; they 
do not address digital contract signing. The work of [1] uses multi-player games to obtain 
correct solutions of multi-party rational exchange protocols in the emerging area of rational 
cryptography. These protocols do not provide fairness, but do ensure that rational parties 
would have no reason to deviate from the protocol. None of the above works use a condition- 
ally competitive synthesis formulation, which we show is necessary for fair non-repudiation 
protocols. Our technique is very different from these and all previous works, as we use the 
rich body of research in controller synthesis to construct fair exchange protocols efficiently; 
in time that is quadratic in the size of the model. The finite state models are typically small, 
so that the application of synthesis techniques as we propose in this paper is both appealing 
and realizable in practice. 

2 Fair Non-repudiation Protocols 

In this section we introduce fair non-repudiation protocols. We first define a participant 
model, a protocol model and an attack model. We then introduce the agents and the trusted 
third party that participate in fair exchange protocols, the messages that they may send 
and receive, and the channels over which they communicate. Finally, we introduce a set of 
predicates that are set based on messages that are sent and received and that form the basis 
for our protocol and participant objectives in the subsequent section. 

A participant model. Our protocol model is different from the Strand Space model [30] 
and is closer to the model required for the synthesis of protocols as participant refinements. 
We define our model as follows: Let V be a finite set of variables that take values in some 
domain D v . A valuation f over the variables V is a function / : V M> D v that assigns to 
each variable v G V, a value f(v) G D v ; we take J-[V] as the set of all valuations over the 
variables in V. Let Ai be a finite set of messages (terms in the Strand Space model) that 
are exchanged between a set A = {Ai < i < n} (roles in the Strand Space model) of 
participants. We define each participant as the tuple Ai = (Li, Vi, Ai, Si), where Li is a finite 
set of control points or values taken by a program counter, Vi C V is a set of variables, 
Ai : J-[Vi] t— > 2 M is a message assignment, that given a valuation / G .F[Vi], returns the set 
of messages that can be sent by Ai at f; this set includes all messages that can be composed 
by Ai based on what she knows in the valuation /. Valuations over variables represent what 
a participant knows at a given control point. We take V = U"=o ^ an< ^ assume that the sets 
Vi form a partition of V. An Ai transition function is Si : Li x J-[Vi] x M. M- Li x -F[Vi], 
that given a control point, a valuation over Vi and a message either sent or received by 
Ai, returns the next control point of Ai and an updated valuation. The participants may 
send messages simultaneously and independently, and can either receive a message or send 
a message at every control point . 



The most general participants. We interpret the elements of A as the most general 
participants in an exchange; the participants in A can send any message that can be com- 
posed at each control point, based on messages they have received up to that control point. 
We take the interaction between the elements of A as the most general exchange program. 
Every participant in an exchange has her own objective to satisfy. We take the objective of 
a participant as a set of desired sequences of valuations of the protocol variables. 

A protocol model. A realization of an exchange protocol is a restriction of the most 
general exchange program that consists of the set A' = {A[ < i < n) of participants, 
with behaviors restricted by the rules of the protocol. We take A\ = (L' i7 Vi, A^S'A, where 
L'i C Vi is the same set of variables as in Af, for every valuation / 6 J~\Vi\ we have 
A'i(f) C Ai(f); and 8^ : L\ x T[Vi\ x M t-> L- x J 7 ^] is the transition function, that given a 
control point in L' i% a valuation over Vi and a message either sent or received by A^ returns 
the next control point of A\ and an updated valuation. For I £ L' i: v £ F\Vi\ and m e M, 
we have 6^(1, v,m) = 6i(l,v,m). We define a protocol instance (or a protocol run) as any 
sequence of valuations generated by the participants in A' and take the set of all possible 
protocol runs as Runs(A'). We refer to a message that can be sent by a participant as a 
move of that participant. 

An attack model. Wc define an attack on a protocol as the behavior of a subset of protocol 
participants such that the resulting sequence of messages is in their objective but not in the 
objective of at least one of the other participants. Formally, let Y C A be a subset of the most 
general participants with (A\Y)' = {A'^Aj G (A\Y)} being the remaining participants that 
follow the rules of the protocol. A protocol has a Y-attack if the most general participants 
in Y can generate a message sequence, given (A \ Y)' follow the protocol, that is not in the 
objective of at least one participant in (A \ Y)' but is in the objectives of all participants in 
Y. A protocol is attack-free, if there exists no Y-attack for all Y & 2 A . 

Agents. An agent in a two-party exchange protocol is one of the two participating entities 
signing an online contract. Based on whether an agent proposes a contract or accepts a 
contract originating from another agent, we get two roles that an agent can play; that of an 
originator of a contract, designated by O or the recipient of a contract, designated by R. 
Agents communicate with each other over channels. 

Trusted third party (TTP). The trusted third party or TTP is a participant who is 
trusted by the agents and adjudicates and resolves disputes. It is known that a fair exchange 
protocol cannot be realized without the TTP [12,21]. We model the TTP explicitly as a 
participant, define her objective and using our formulation give a game-theoretic justification 
that the TTP is necessary. Agents and the TTP communicate with each other over channels. 

Messages. A message is an encrypted stream of bytes; we treat each message as an atomic 
unit. We assume each message contains a nonce that uniquely identifies a protocol instance; 
participants can simultaneously participate in multiple protocol instances. We are not con- 
cerned with the exact contents of each message, but in what each message conveys; this is 
in keeping with our objective of synthesizing protocols that are attack-free with respect to 
message inter leavings. From the definition of messages in fair exchange protocols in [15, 14, 
16, 28] and other works, we define the set M. of messages as follows: 

— mi is a message that may be sent by O to R. The intent of this message is to convey 
O's desire to sign a contract with a recipient R. 

— mi is a message that may be sent by R upon receiving m\ to O. This conveys R's intent 
to sign the contract sent by O. 



— 77i3 is a message that may be sent by O to R upon receiving 7772 and contains the actual 
signature of O. 

— 7774 is a message that contains the actual signature of R and may be sent by R to O 
upon receiving 7713. 

— a® is a message that may be sent by O to the TTP and conveys O's desire to abort the 
protocol. 

— a® (resp. a^) is a message that may be sent by the TTP to O (rcsp. R) that confirms 
the abort by including an abort token for O (resp. R). 

— rp (resp. rf-) is a message that may be sent by O (resp. R) to the TTP and conveys O's 
(resp. R's) desire to get the TTP to resolve a protocol instance by explicitly requesting 
the TTP to adjudicate. We do not specify the content of rf or rf- but make the as- 
sumption that the TTP needs mi to recover the protocol for R and similarly needs 7712 
to recover the protocol for O. 

— (resp. r^) is a message that may be sent by the TTP to O (resp. R) and contains a 
universally verifiable signature in lieu of the signature of R (resp. O). 

The messages that each participant can send in a state depends on what the participant 
knows in that state. We assume that every recipient can check if the message she receives 
contains what she expects and that it originates from the purported sender. We impose 
an order on the messages 7711,7712,7713 and 7714 as it can be shown trivially in our synthesis 
formulation that O sending 7713 before receiving 7712 and R sending 7714 before receiving 
7713 violates their respective objectives. Further, since our concern in this paper is not to 
synthesize messages impervious to attacks, but rather the correct sequences of messages 
that are impervious to attacks, we assume the former can be accomplished by the use of 
appropriate cryptographic primitives. We remark that primitives such as private contract 
signatures (PCS) introduced by Garay et al., in [13], can be used with protocols that are 
synthesized using our technique to ensure such properties as the designated verifier property 
which guarantees abuse-freeness. In our formulations, we consider a reasonable TTP that 
satisfies the following restrictions on behavior: 

1. The TTP will never send a message unless it receives an abort or a resolve request. 

2. The TTP processes messages in a first- in-first-out fashion. 

3. If the first message received by the TTP is an abort request, then the TTP will eventually 
send an abort token. 

4. If the first message received by the TTP is a resolve request, then the TTP will eventually 
send an agent signature. 

Channels. A channel is used to deliver a message. There are three types of channels that are 
typically modeled in the literature. We present them here in decreasing order of reliability: 

1. An operational channel delivers all messages within a known, finite amount of time. 

2. A resilient channel eventually delivers all messages, but there is no fixed finite bound 
on the time to deliver a message. 

3. An unreliable channel may not deliver all messages eventually. 

We model the channels between the agents as unreliable and those between the agents and 
the TTP as resilient as in prevailing models; messages sent to the TTP and by the TTP 
will eventually be delivered. We do not model the channels explicitly, but synthesize pro- 
tocols irrespective of channel behavior. In particular, unreliable channels may never deliver 
messages and messages sent to the TTP may arrive in any order at the TTP. 

Scheduler. The scheduler is not explicitly part of any fair exchange protocol. The protocol 
needs to provide all agents the ability to send messages asynchronously. This implies that the 



agents can choose their actions simultaneously and independently. We model this behavior 
by using a fair scheduler that assigns each participant a turn and we synthesize refinements 
against all possible behaviors of a fair scheduler. 

Predicates. We introduce the following set of predicates. 

— Mi is set by O, when she sends message mi to R. 

— EOO, referred to as the Evidence Of Origin, is set by R when either mj or rf is received. 

— EOR, referred to as the Evidence of Receipt , is set by O when either or rf is received. 

— EO(\. and EOO fc are referred to as O's signature. EOO^: is set by R when R receives 
1TI3 and EOO fe is set by R when he receives r 2 f. 

R TTP R 

— EORfe andEORfc r arc referred to as R's signature. EOR fc is set by O when O receives 
7714 and EOR fc is set by O when she receives r^ . 

— AO is set by O and indicates that aS? has been received. 

— AR is set by R and indicates that has been received. 

— ABR is set by the TTP when an abort request, a® is received. 

— RES is set by the TTP when a resolve request, rf or rf-, is received. 

All predicates are monotonic in that once they are set, they remain set for the duration of a 
protocol instance [28] . We distinguish between a signature sent by an agent and the signature 
sent by the TTP as a replacement for an agent's signature in the predicates. Distinguishing 
these signatures enables modeling TTP accountability [28]. The non-repudiation of origin for 
R, denoted by NRO, means that R has received both O's intent to sign a contract and O's 
signature on the contract so that O cannot deny having signed the contract to a third party. 
Formally, NRO is defined as: NRO = EOO A (EOO^ V EOOfc TP ). The non-repudiation of 
receipt for O, denoted by NRR, means that O has received both the intent and signature of 
R on a contract so that R cannot deny having signed the contract to a third party. Formally, 
NRR is defined as: NRR = EOR A (EORfc V EORfc TP ). 



3 LTL Specifications for Protocol Requirements 

The synthesis of programs requires a formal objective of their requirements. One of our 
contributions in this paper is to present a precise and formal description of the protocol 
requirement as a path formula in Linear Temporal Logic (LTL [23, 18]), which then becomes 
our synthesis objective. In this section, we define the objective for fair non-repudiation 
protocols, objectives for the agents and the TTP and show that satisfaction of the objectives 
of the agents and the TTP imply satisfaction of the objective of the protocols. We use LTL, 
a logic that is used to specify properties of infinite paths in finite-state transition systems. 
In our specifications, we use the usual LTL notations □ and O to denote always (safety) 
and eventually (reachability) specifications, respectively. 

Fairness. Informally, fairness for O can be stated as "For all protocol instances if the non- 
repudiation of origin (NRO) is ever true, then eventually the non-repudiation of receipt 
(NRR) is also true" [16]. The fairness property for O is expressed by the LTL formula 

rf = D(NRO => ONRR) . 

Similarly, the fairness property for R is expressed by the LTL formula rf = □(NRR => 
ONRO). We say that a protocol is fair, if in all instances of the protocol, fairness for both 
O and R holds. Hence the fairness requirement for the protocol is expressed by the formula 



<Pf = rf A rf 



(1) 



Abuse- freeness. The definition of abuse- freeness as given in [13], is the following: "An 
optimistic contract signing protocol is abuse-free if it is impossible for a single player at 
any point in the protocol to be able to prove to an outside party that he has the power 
to terminate (abort) or successfully complete the contract". In [8], the authors prove that 
in any fair optimistic protocol, an optimistic participant yields an advantage to the other 
participant. In a given protocol instance, once an agent has the other agent's intent to sign 
a contract, he can use this intent to negotiate a different contract with a third party, while 
ensuring that the original protocol instance is aborted. The term aborted is used here to 
mean that neither agent can get a non-repudiation evidence in a given protocol instance, 
once that instance is aborted. As noted by the authors of [8] , the best that one can hope for 
is to prevent either participant from proving to a third party that he has an advantage, or in 
other words, that he has the other participant's intent to sign the contract. This is defined as 
abuse- freeness. As noted by the authors of [13, 15], using PCS or Private Contract Signatures , 
introduced by Garay et al., in [13], which provides the designated verifier property, neither 
agent can prove the other agent's intent to sign the contract to anyone other than the TTP. 
Therefore, ensuring abuse-freeness requires the use of PCS. Since PCS are requisite to ensure 
abuse- freeness, we do not model abuse-freeness, or the stronger property balance [6], in our 
formalism. 

Timeliness. Informally, timeliness is defined as follows: "A protocol respects timeliness, if 
both agents always have the ability to reach, in a finite amount of time, a point in the protocol 
where they can stop the protocol while preserving fairness" . We do not model timeliness in 
this paper as the cases in the literature where timeliness is compromised involve the lack of 
an abort subprotocol. Since we explicitly include the capability to abort the protocol, our 
solution provides timeliness as guaranteed by existing protocols. Alternatively, timeliness 
could be explicitly modeled in the specifications of the agents and the TTP, but in the 
interest of keeping the objectives simpler so that we convey the more interesting idea of 
using assume-guarantee synthesis, we avoid modeling timeliness explicitly. 

Signature exchange. A protocol is an exchange protocol if it enables the exchange of 
signatures. This is also referred to as Viability in the literature. For an exchange protocol 
to be a non-repudiation protocol, at the end of every run of the protocol, either the agents 
have their respective non-repudiation evidences, or, if they do not have their non-repudiation 
evidences, they have the abort token. The property that evidences once obtained are not 
repudiable is referred to as Non-repudiability . A fair non-repudiation protocol must satisfy 
fairness, abuse-freeness, non-repudiability and viability. 

We now present intuitive objectives for the agents and the trusted third party and show 
that satisfaction of these objectives implies that the protocols we synthesize are fair. 

Specification for the originator O. The objective of the originator O is expressed as 
follows: 

— In all protocol instances, she eventually sends the evidence of origin. This is expressed 
by the LTL formula ip^ = OMl. 

— In all protocol instances, one of the following statements should be true: 

1. (a) The originator eventually gets the recipient's signature EOR^ or, (b) she even- 
tually gets the recipient's signature EOR^ TP and never gets the abort token AO. 
This is expressed by the LTL formula 

ip% = OEORj* V (OEOR™ A Q-.AO)) . 



2. (a) The originator eventually gets the abort token and, (b) the recipient never gets 
her signature EOO fc and never gets her signature EOO fc from the TTP. This is 
expressed by the LTL formula 

ip 3 o = OAO A (n^EOO£ A □-EOO^ TP ) = OAO A a(^EOO£ A -EOO^ TP ) . 

The objective ipo of O can therefore be expressed by the following LTL formula 

W = ^AD(^V^). (2) 

There are two interpretations of the abort token in the literature. On the one hand the abort 
token was never intended to serve as a proof that a protocol instance was not successfully 
completed; it was to guarantee that the TTP would never resolve a protocol after it has 
been aborted. On the other hand, there is mention of the abort token being used by the 
recipient to prove that the protocol was aborted. We take the position that the abort token 
may be used to ensure TTP accountability as noted in [28] and hence include it in the 
objective of O. If the TTP misbehaves and issues both EOR£ TP and AO, we claim that 
the objective <po of the originator should be violated, but in this case, she has the power 
to prove that the TTP misbehaved by presenting both EOR^ TP and AO to demonstrate 
inconsistent behavior. While having both EOR^ TP and AO is a violation of i^Oj having both 
EOR^ and AO is not a violation of ipo; once O receives EOR^, we take it that the objective 

R rpryrp 

(po is satisfied. While having both EOR. and EOR fe may be interpreted as O having 
inconsistent signatures, we do not consider this to be a violation of O's objective; given the 
nature of asynchronous networks it may well be the case that both these evidences arrive 
eventually, one from the TTP and the other from R, as O did not wait long enough before 
sending r° . 

Specification for the recipient R. The objective of the recipient R can be expressed as 
follows: 

— In all protocol instances, if he gets the evidence of origin EOO, then one of the following 
statements should be true: 

1. (a) The recipient eventually gets the originator's signature EOO° or, (b) he even- 
tually gets the originator's signature EOO^ TP and never gets the abort token AR. 
This is expressed by the LTL formula 

^ = (OEOO£ V (OEOO^ TP A D-.AR)) . 

2. (a) The recipient eventually gets the abort token and, (b) the originator never gets 

R TTP 

his signature EORj^ and never gets his signature EOR fe from the TTP. This is 
expressed by the LTL formula 

ip'i = OAR A (□-.EOR£ A □-EOR£ tp ) = OAR A □(-EOR p A -.EOR£ TP ) . 

The objective tpn can therefore be expressed by the LTL formula 

^ = D(EOO=>(^V^)). (3) 

If the TTP misbehaves and issues both EOOfc TP and AR, we claim that the objective tpn 
of the recipient should be violated, but in this case he has the power to prove that the 
TTP misbehaved by presenting both EOO^ TP and AR. Similar to the case of O, once R 
receives EOO^ , the objective ipn is satisfied whether or not abort tokens or non-repudiation 
evidences are issued by the TTP. 

Specification for the trusted third party TTP. The objective of the trusted third 
party is to treat both agents symmetrically and be accountable to both agents. It can be 
expressed as follows: 



In all protocol instances, if the abort request or a resolve request rp or rf" is received, 
then eventually the TTP sends the abort token AO or the abort token AR or the origi- 
nator's signature EOO fc or the recipient's signature EOR fe . This can be expressed 
by the LTL formula 

^ttp = n((ABR V RES) =S> (oAO V OAR V OEOO™ V OEOR™)) . 

In all protocol instances, if the originator's signature EOO^ TP has been sent to the 
recipient, then the originator should eventually get the recipient's signature EOR^ TP 
and the agents should never get the abort token. This can be expressed by the LTL 
formula 

94 TP = □(EOO^ TP (OEOR^ TP A n(-.AO A -AR))) . 

Symmetrically, in all protocol instances, if the recipient's signature EOR^ TP has been 
sent to the originator, then the recipient should eventually get the originator's signature 
EOOj TP and the agents should never get the abort token. This can be expressed by the 
LTL formula 

^ Tp = □(EOR^" rp => (OEOO£ TP A □(-AO A -AR))) . 

In all protocol instances, if the originator gets the abort token AO, then the recipient 
should eventually get the abort token AR and the originator should never get the recip- 
ient's signature EOR^ TP and the recipient should never get the originator's signature 
EOO^ TP . This can be expressed by the LTL formula 

y TTP = n(AO (<C>AR A □(-'EOO fc rTP A -.EOR™ 5 ))) . 

Symmetrically, in all protocol instances, if the recipient gets the abort token AR, then 
the originator should eventually get the abort token AO and the originator should never 
get the recipient's signature EOR;F TP and the recipient should never get the originator's 
signature EOO fc ?TP . This can be expressed by the LTL formula 

^ttp = □(AH =*> (OAO A □(-EOO fe :TP A -EORj TP ))) . 



The objective </?ttp of the TTP is then defined as: 

Vttp = ¥?ttp A Vttp A ¥?ttp A Vttp A Vttp • (4) 



Note that our objective for the TTP treats both agents symmetrically. In this paper we 
present assumc-guarantee synthesis for the above objective of the TTP. But in general, the 
objective of the TTP can be weakened if desired, by treating the agents asymmetrically, 
and the assume-guarantee synthesis technique can be applied with this weakened objective. 
We remark that the specifications of the participants in our protocol model are sequences 
of messages. Using predicates that are set when messages are sent or received by the agents 
or the TTP, we transform those informal specifications into formal objectives using the 
predicates and LTL. The following theorem shows that the objectives we have introduced 
(2), (3) and (4) imply fairness (1). 

Theorem 1 (Objectives imply fairness) We have, ipo A ipa A (frrp =>■ <Pf- 



Proof To prove the assertion, assume towards a contradiction that there exists a path that 
satisfies ipo A p>R A ^ttp but does not satisfy (pf. We consider the case when the path does 
not satisfy the first conjunct ip® = □(NRO => ONRR) (a similar argument applies to the 
second conjunct). If the path does not satisfy ip® , then there is a suffix of the path, where 
EOO A (EOO^ V EOOj TP ) holds but EOR A (EOR p V EOR™) does not hold at all states 
of the suffix. It follows that the path satisfies 

On(EOO A (EOO^ V EOO£ TP ) A (-.EOR V (->EOR p A -EOR^ TP ))) . (5) 

Consider the objective <p 2 = (OEOR^ V (OEOR™ A D-.AO)). Since all predicates are 
monotonic, we can rewrite (po as follows: 

<p 2 o = OD(EOR^ V (EOR^ TP A -AO)) . 

Similarly, we can rewrite Pq as follows: 

ip 3 o = OD (AO A -EOO^ A -EOO£ TP ) . 

If a path satisfies (5), then it also satisfies OD(EOO fc V EOO fe ). By the monotonicity of 
the predicates, we have Od(EOO° V EOOfc TP ) is equivalent to ODEOO° V ODEOO£ TP . 
We consider the following cases to complete the proof: 

1. Case 1. Path satisfies OaEOO®. If the path satisfies ODEOO°, then the path does not 
satisfy Pq. We now show that the path also does not satisfy Pq. Since the path satisfies 
OnEOOj; , it must be the case that message mi was received by O, as otherwise O will 
not send EOO° . This implies that the path satisfies ODEOR. Since the path satisfies 
both ODEOR and (5), it follows that the path must satisfy OD(-EOR^ A -EOR£ TP ). 
Hence the path does not satisfy ODEOR^ and ODEOR fc leading to the path violating 
Pq. Since the path does not satisfy both ip and p , it does not satisfy po, which is a 
contradiction. 

2. Case 2. Path satisfies OnEOO^ TP . If the path satisfies ODEOOfc TP , then either O or 
R must have sent the resolve request. If the TTP resolves the protocol only to the agent 
that sends the resolve request and not the other, then the path does not satisfy <pttp, 
leading to a contradiction. For <^ttp to hold, the TTP must have sent both EOO^ TP 
and EORfc TP , which given the channels between the agents and the TTP are resilient 
implies, (a) EOR must have been set by O upon receiving EOR^ TP leading to the 
path satisfying OnEOR and (b) the path satisfies OnEORj TP . Since the path satisfies 
ODEOR and ODEOR^ TP , it cannot satisfy (5), leading to a contradiction. 



4 Co-synthesis 

In this section we first define processes, schedulers and objectives for synthesis along the lines 
of [9]. Next we define traditional co-operative [11] and strictly competitive [24,25] versions 
of the co-synthesis problem; we refer to them as weak co-synthesis and classical co-synthesis, 
respectively We then define a formulation of co-synthesis introduced in [9] called assume- 
guarantee synthesis. We show later in the paper that the protocol model of Section 2 reduces 
to the process model for synthesis that we present in this section. 

Variables, valuations, and traces. Let X be a finite set of variables such that each 
variable x S X has a finite domain D x . A valuation f on X is a function / : X — y {J x£X D x 



that assigns to each variable x € X a value f(x) € D x . We write T[X] for the set of 
valuations on X. A irace on X is an infinite sequence (vq, v\, v 2 , . . .) £ .FX]" of valuations 
on X. Given a valuation f[X] € F\X\ and a subset F C X of the variables, we denote 
by f[X] I Y the restriction of the valuation f[X] to the variables in Y. Similarly, for a 
trace r(X) = (vq, vi, V2, ■ ■ •) on X, we write t(X) J, Y = («o J, y, v\ \, Y, V2 4- Y, . . .) for 
the restriction of t(X) to the variables in Y. The restriction operator is lifted to sets of 
valuations, and to sets of traces. 

Processes and refinement. Let Moves be a finite set of moves. For i S {1, 2, 3}, a process 
is defined by the tuple Pj = (Xj, Pi, <5j) where, 

1. Xj is a finite set of variables of process Pj with X = U i=1 -^i being the set of all process 
variables, 

2. r*j : J"i[X,-] —5- 2 Moves \ is a move assignment that given a valuation in .F,-[Xj], returns 
a non-empty set of moves, where J-ipQ] is the set of valuations on Xj, and 

3. Si : J-i[Xi] x Moves — s> 2- Fi <- Xi ' \ is a non-deterministic transition function. 

The set of process variables X may be shared between processes. The processes only choose 
amongst available moves at every valuation of their variables as determined by their move 
assignment. The transition function maps a present valuation and a process move to a 
nonempty set of possible successor valuations such that each successor valuation has a unique 
pre-image. The uniqueness of the pre-image is a property of fair exchange protocols; unique 
messages convey unique content and generate unique valuations. 

A refinement of process Pi = (Xj, Pj, Si) is a process P[ = (X-, r(, S^) such that: 

1. X c X(, 

2. for all valuations fi[X<] on X|, we have r/(/i[X|]) C r i {f i [X' i \ | X,), and 

3. for all valuations /i[Xj'] on X[ and for all moves a € /^'(/^[Xj']), we have ^(/i[X t '],a) 4- 
X, C 6i(fi[Xt\lXi,a). 

In other words, the refined process P[ has possibly more variables than the original process 
Pi, at most the same moves as the moves of the original process Pi at every valuation, and 
every possible update of the variables in Xj given P[ by P! is a possible update by P t . We 
write P/ ^ Pi to denote that P/ is a refinement of P; . Given refinements P[ of Pi , P^ of P2 
and P3 of P3, we write X' = X{ U Xj U X3 for the set of variables of all refinements, and we 
denote the set of valuations on X' by -F[X'] . 

Schedulers. Given processes Pi, where i £ {1,2,3}, a scheduler Sc for P,; chooses at each 
computation step whether it is process Pi's turn, process P2's turn or process Pa's turn to 
update her variables. Formally, the scheduler Sc is a function Sc : .F[X]* — > {1,2,3} that 
maps every finite sequence of global valuations (representing the history of a computation) 
to i € {1,2,3}, signaling that process Pi is next to update her variables. The scheduler Sc 
is fair if it assigns turns to Pi, P2 and P3 infinitely often; i.e., for all traces [vq, v±, V2, ■ ■ •) 6 
.P[X] W , there exist infinitely many ji > 0, such that Sc(wo, ■ • ■ ,Vji) = 1, Sc(w , . . . ,Vj 2 ) = 2 
and Sc(v , ■ ■ ■ ,vj 3 ) = 3. Given three processes Pi = (Xx,2~i,5i), P2 = (X 2 ,/2,<5 2 ) and 
P3 = (X 3 , P 3 , <5 3 ), a scheduler Sc for Pi, P 2 and P 3 , and a start valuation v E -P[X], the set 
of possible traces is: 

[(Pi || P 2 || P 3 || Sc)(wo)] = {(vo,vi,V2,...) &F[XY Vj > 0. Sc(v ,..., Vj )=i; 

v j+1 i(X\X i ) = v j i(X\X i ); 

Vj + i I Xi G <5i(uj 4- Xj, a) for some a £ Pi(vj {- -^i))} ■ 



Note that during turns of one process Pi, the values of the private variables X\Xi of the 
other processes remain unchanged. We define the projection of traces to moves as follows: 

(vq, vi, V2, • ■ •) I Moves = {(ao, ai, a 2 , • • •) € Moves^ \ Mj > 0. Sc(vo, • • • , Vj) = i: 

v j+ i I X l e 6i(vj i X h a,j); aj G r^vj I A,)} . 

Specifications. A specification ipi for process Pi is a set of traces on X; that is, ipi C ftA]". 
We consider only w-regular specifications [31]. We define boolean operations on specifications 
using logical operators such as A (conjunction) and => (implication). 

The input to the co-synthesis problem is given as follows: for i G {1,2,3}, processes 
Pi = (Xi, Pi, Si), specifications tpi for process i, and a start valuation vq G T. 

Weak co-synthesis. The weak co-synthesis problem is defined as follows: do there exist 
refinements ft' = (A 4 ', ft', 5^) and a valuation v' Q G ft, such that, 

1. Pi < Pi and Vq I X — vq, and 

2. For all fair schedulers Sc for P/ we have, 

[(ft' II P2 II n II Sc)K)] IXC (if 1 A <y9 2 A <ps). 

Intuitively, weak co-synthesis or co-operative co-synthesis is a synthesis formulation that 
seeks refinements P{, P 2 and P3 where the processes co-operate to satisfy their respective 
objectives. 

Classical co-synthesis. The classical co- synthesis problem is defined as follows: do there 
exist refinements P[ — (A,',P/,(^) and a valuation v' G ft, such that, 

1. P- ^ Pi and w[ l |I = vo, and 

2. For all fair schedulers Sc for P/ we have, 

(a) [(P{ ||ft ||Sc)K)]|AC w 

(b) [(ft ||^||ft||Sc)K)]4.XC W 

(c) [(ft ||ft ||ft||Sc)K)Hxc^ 3 . 

Classical or strictly competitive co-synthesis is a formulation that seeks refinements P{, P'^ 
and P3 such that P[ can satisfy ipi against all possible, and hence adversarial, behaviors of 
the other processes; similarly for P' 2 and P' z . 

Assume-guarantee synthesis. The assume- guarantee synthesis problem is defined as fol- 
lows: do there exist refinements P! — (X^, ft, 5^) and a valuation v' G ft, such that, 

1. ft' ^ ft and ^11 = wo, and 

2. For all fair schedulers Sc for P[ we have, 

(a) [(ft || ft || ft || Sc)«)] I A C {<p 2 A 933) W 

(b) [(ft || P^ || ft || Sc)K)] |XC( W A ^3) => ^2; 

(c) [(ft || P 2 || P^ || Sc)K)] IIC^A^)^^ 

(d) [(ft || P^ || P^ || Sc)K)] I A C ( Vl A ip 2 A ^3). 

Assume-guarantee synthesis or conditionally competitive co-synthesis is a formulation that 
seeks refinements P{, P' 2 and P3 such that P{ can satisfy 991 as long as processes P 2 and 
P3 satisfy their objectives; similarly for P' 2 and P3. This synthesis formulation is well suited 
for those cases where processes are primarily concerned with satisfying their own objectives 
and only secondarily concerned with violating the objectives of the other processes. We 
want protocols to be correct under arbitrary behaviors of the participants, and the arbitrary 
or worst case behavior of a participant without sabotaging her own objective, is to first 



satisfy her own objective, and only then to falsify the objectives of the other participants. 
The primary goal of satisfying her own objective, and secondary goal of falsifying other 
participant objectives formally captures this worst case or arbitrary behavior assumption. 
We show that this synthesis formulation is the only one that works for fair non-repudiation 
protocols. While classical co-synthesis can be solved as zero-sum games, assume-guarantee 
synthesis can be solved using non zero-sum games with lexicographic objectives [9]. For 
brevity, we drop the initial valuation vq in the set of traces. 

5 Protocol Co-synthesis 

In this section, we present our results on synthesizing fair non-repudiation protocols. We use 
the process model in Section 4 to define agent and TTP processes, with objectives as defined 
in Section 3. We then introduce the protocol synthesis model and show that classical co- 
synthesis fails and weak co-synthesis generates unacceptable solutions. Wc provide a game 
theoretic justification of the need for a TTP by showing that without the TTP neither 
classical co-synthesis nor assume-guarantee synthesis can be used to synthesize fair non- 
repudiation protocols. We define the set Pags of assume-guarantee refinements and prove 
that the refinements are attack-free. We then present an alternate characterization of the set 
Pags and show that the Kremer-Markowitch (KM) non-repudiation protocol with offline 
TTP, proposed in [20, 14, 16], is included in Pags whereas the ASW certified mail protocol 
and the GJM protocol are not. Finally, we systematically analyze refinements of the most 
general agents and the TTP with respect to their membership in Pags and show the KM 
protocol can be automatically generated. 

The process O. Wc distinguish between the set of messages sent by O and the set of 
messages received by O. We first recall, from Section 2, that O sets the predicates EOR, 
EOR fc , EOR fc and AO when she receives messages mi, m^, r^r and respectively. Wc 
add to this set the predicates M\, M3, ABR° and RES° that are set by O when she sends 
messages mi, 7713, and respectively. We take the set of variables of the process O 
as X = {Afi,EOR,Af 3 ,EOR^,EORfc TP ,ABR ,RES°,AO}; the union of the predicates 
set by O when she receives messages and the set of predicates set by O when she sends 
messages. By an abuse of notation, we take the set of all messages that can be sent by O as 
the moves of process O. By including an idle move l, which O may choose in lieu of sending 
a message, we get the following set of moves for O: Moveso = mi, m,3, a®, r®}- 

The process R. Similar to the case of process O, we define the set of variables of process R as 
the union of the set of predicates set by R when he sends messages and the set of predicates he 
sets when he receives messages. We have the predicates EOO, EOO): , EOO fe and AR, set 
by R when he receives messages mi, 7713, r R and a R respectively. We add to this the predicates 
M2, M4 and RES R , set by R when he sends messages m.2, m.4 and r R respectively. This gives 
us the following variables for process R: X R = {EOO, M 2 , EOO°, M 4 , EOO^ TP , RES R , AR}. 
The set of moves for R is given by Movesn — {t, 1112, "14, ?" R }- I n Figure 1, wc show an 
interface automaton for an agent. Since an agent can act either as an originator or a recipient, 
we show the actions available to the agent in both roles in the figure. 

The process TTP. The predicates ABR and RES are set by the TTP when she 
receives an abort or a resolve request from either agent. We add to this the predi- 
cates A®, A R , R2 and i? R , set by the TTP when she sends messages a^, a R , r§ and 
r R respectively. We get the following set of process variables for the TTP: Xttp = 
{ABR, RES, A§, Af,R§,R$}. The set of moves for the TTP are defined as follows: 
MovesTTP = {i,a§,af, [a$ ,af},r§ ,rf, [r§,rf]}. The TTP move [a%,af] results in the 




NRR 



Fig. 1: An interface automaton that shows the states and enabled moves of the agents O (on 
the left) and R (on the right). Move i is the idle move. The states with no outgoing edges 
are terminal. We consider the most liberal behaviors of the agents wherein the abort and 
resolve messages can be sent from all states where the agents have the data they need to 
send those messages. The predicates are monotonic and are shown in the first state at which 
they hold. In states that can be either agent state, we use the * in the messages a^, r\, r% to 
denote one of O or R. Abort or resolve requests can be sent from the states marked terminal, 
but they have no bearing on the outcome of the protocol and hence we omit them. 



TTP sending messages a® to O and af" to R. The TTP can choose to send them in any 
order; all that is guaranteed is that both messages will be sent by the TTP. Similarly for 
the TTP move [r^,r^]. The moves for the TTP are shown in Table 1; these include the 
moves for the TTP in the ASW certified mail protocol [4], the GJM protocol [13] and the 
KM protocol [20]. We show moves for the TTP with and without a persistent database 
for completeness. Since it is trivially the case that TTP accountability cannot be satisfied 
without a persistent database, we do not consider the absence of a persistent database in 
the rest of this paper. 

The protocol synthesis model. We now have all the ingredients to define our protocol 
synthesis model. Given process O, process R and process TTP as defined above, we take 
X = Xo U U Attp as the joint set of process variables. We take the objectives ipo, Vr 
and (fiTTP for the processes O, R and TTP respectively, as defined in Section 3. The set of 
traces [O || R || TTP || Sc], given Sc is a fair scheduler, is then the joint behavior of the 
most general agents and the most general TTP, subject to the constraint that they can only 
send messages based on what they know at every valuation of their variables. A protocol is 
a refinement O' < O, R' < R and TTP' ^ TTP, where each participant has a restricted set 
of moves at every valuation of the process variables; the restrictions constituting the rules of 
the protocol. We take a protocol state as a valuation over the process variables. By an abuse 
of notation, we represent every state of the protocol by the set of variables that are set to 
true in that state; for example a valuation / = {Mi, EOO, M2, EOR} corresponds to the 



Agent moves 


Enabled TTP moves 


Without DB 


With a persistent DB 


ASW 


GJM 


KM 


_ . /\ 
O sends a} 






If R has recovered, 
invite to recover 
else a° 


If recovered, then r^r 1 
else a§ 


If aborted or 
recovered, then 
l else [flj*, af'] 


O sends r¥ 


r 2 ° 




If aborted, then a^r 1 
else r° 


If aborted, then 
else 


If aborted or 
recovered, then 
l else [r 2 °,^] 


R sends rf 1 






If aborted, then a" 
else T2 


If aborted, then a% 
else 


If aborted or 
recovered, then 
t else [r%,rf] 



Table 1: In this table we list the choices of moves available to the trusted third party. Each 
row begins with a message sent by an agent to the TTP followed by the choices available to 
the TTP in all subsequent states. The TTP moves for the ASW, GJM and KM protocols 
are shown. 



state of the protocol after messages mi and m^ have been received. / 4- Xr = {EOO, M2] 
corresponds to the restriction of the valuation / to the variables of process R; all that R 
knows in this state is that he has received mi and has sent m^. We take vq as the initial 
valuation where all variables are false. The set of variables in the refinements O' ^ O, R' ^ R 
and TTP' ^ TTP are the same as those in processes O, R and TTP, respectively, and all 
traces begin with the initial valuation vq. We do not model the set of channels explicitly but 
reason against all possible behaviors of unreliable channels. We assume that every message 
at least includes the name of the sender, is signed with the private key of the sender and 
encrypted with the public key of the recipient. 

The following theorem states that the protocol model from Section 2 and the protocol 
synthesis model presented above are equivalent. Let Aq = O, A\ = R and A2 = TTP be the 
most general participants with A = {A 07 Ai,A 2 } and variables Vq = Xo for A , V\ = Xr 
for A\ and V2 = Attp for A2 as defined above. It is then easy to show that, 

Theorem 2 (Trace equivalence of models) For all participant restrictions A\ and 
refinements O 1 ^ O, R' ^ R and TTP 1 ^ TTP, such that i £ {0,1,2} with j = O when 
i = 0, j = R when i = 1 and j = TTP when i = 2, for all valuations v G if 
A'^v) = r f (v), then we have, Rxms({A' , A[, A' 2 }) = [0' || R' || TTP 1 || Scj. 

We note that in Theorem 2, when we say all restrictions A\ or all refinements O', R', 
and TTP', the most general participants are included (for example O' can be O) and hence 
Theorem 2 covers trace equivalence for all required cases. 

5.1 Failure of Classical and Weak Co-Synthesis 

In this subsection we show that classical co-synthesis fails while weak co-synthesis generates 
solutions that are not attack-free and are hence unacceptable. We first tackle classical co- 
synthesis. In order to show failure of classical co-synthesis we need to show that one of the 
following conditions: 

1. [(O' || R || TTP || Sc)] C ipo- 



2. [(O || R' || TTP || Sc)] C m; 

3. [(0 || R || TTP' || Sc)] C ^ TTP , 

can be violated. We show that for all refinements R' of the recipient R, that is, for every 
sequence of moves ending in a move chosen by R', there exist moves for the other processes 
O, TTP and Sc, and a behavior of the the channels, to extend that sequence such that the 
objective </?r is violated. Since R should satisfy his objective against all possible behaviors 
of the channels, to show failure of classical co-synthesis it suffices to fix the behavior of all 
channels. We assume the channels eventually deliver all messages. 

Theorem 3 (Classical co-synthesis fails for R) For all refinements R -< R, the 
following assertion holds: 

{0 || R' || TTP || Sc] % ip R . 

Proof We consider every valuation of the process variables and the set of all possible moves 
that can be selected by R at each valuation. This defines all possible refinements of R. 
Since every valuation is the result of a finite sequence of moves (messages) chosen (sent) 
by the agents and the TTP, it suffices to consider all possible finite sequences of messages 
received, ending in a message chosen by R. Let r = (vo,v±,. .. ,v n ) be a finite sequence of 
valuations seen in a partial protocol run, where vo is the starting valuation. Let a = r 4- 
Moves = (ao,di, ■ ■ • ,a n -i) be the corresponding sequence of n moves seen in the run. At 
the beginning of a protocol run, we have a = 0. In the following, on a case by case basis, we 
show the sequence of moves seen in a partial protocol run, ending in a move chosen by R, 
followed by moves for O, TTP and Sc that leads to a violation of <^r. 

Rl: (mi, i) 

— Whenever Sc schedules O, she chooses the idle action l. Since EOO is true, as long as 
O does not abort the protocol but chooses to remain idle, ipp_ is violated. 

— ipn and tpo are violated but (^ttp is satisfied. 
R2: (toi,to 2 ) 

— Sc schedules O; O sends to TTP; 

— Sc schedules TTP; TTP resolves the protocol for O and sends r^; 

— Sc schedules O; O aborts the protocol by sending af ; 

— Sc schedules TTP; TTP sends [a^a^-] with R having no option of obtaining O's sig- 
nature; 

— ipn and fTTP are violated but <po is satisfied. 
R3: (m u rf) 

— Sc schedules TTP; TTP resolves and sends [r§,rf]; 

— Sc schedules O; O sends a? to TTP; 

— Sc schedules TTP; TTP sends [a$,af]; 

— tpR, lpttp and (po are violated. 
R4: (mi, TO2, ^i*") 

— Sc schedules TTP; TTP resolves and sends [r§,rf]; 

— Sc schedules O; O sends a? to TTP; 

— Sc schedules TTP; TTP sends af; 

— </?r and (/?ttp are violated but (po is satisfied. 



It is easy to verify that the sequences in the proof are exhaustive. From the agent interface 
automaton shown in Figure 1 we can extract all the partial sequences of moves ending in a 
move of R and similarly for O. In all of the above cases, <pr is violated. In all of the above 
cases ifiB, A ^ttp is also violated. This shows that for all counter moves of O and the TTP, 
violation of the specification of R also violates the specification of O or the TTP. Since O 
and the TTP co-operate, O never sends 7713, instead choosing to use the TTP to get her 
non-repudiation evidence while denying R the ability to get his evidence. 

The following example illustrates that given our objectives, given a reasonable TTP as 
defined in Section 2, weak co-synthesis yields solutions that are not attack- free and are hence 
unacceptable. 

Example 1. (Weak co-synthesis generates unacceptable solutions) Consider a 
refinement O', R' and TTP', that generates the following sequence of messages: 
(mi,m2,r® ,r® ,r^,r^-); the agents send mi and m,2 and then resolve the protocol indi- 
vidually. We assume that TTP' needs both m\ and m 2 to resolve the protocol for either 
O or R. The trace corresponding to this sequence satisfies weak co-synthesis, but then this 
behavior of the TTP, that assumes co-operative agent behavior, is not attack-free. Taking 

Y = {R}, consider the following F-attack where R exploits the fact that a reasonable TTP 
responds with r\^ when she receives rf\ If R sends a resolve request immediately after re- 
ceiving mi we get the message sequence (mi,rf,r^). In this case ipB, is satisfied, but (po 
and </?ttp are violated. The only way to satisfy ipo and <^ttp is if O' sends rf, which she 
cannot do, as she does not know the contents of m^. This is an attack on the ASW certified 
mail protocol that compromises fairness for O [16]. Similarly, there exists a K-attack for 

Y = {O, R} as follows: after resolving the protocol, if O decides to send 777,3 and R responds 
with 7714, we get the following message sequence: (mi, 7712, rp , r®, 7773, 1714). In this case, the 
objectives tpo and ip-R are satisfied but the objective </?ttp is violated; a reasonable TTP will 
only send messages in response to abort and resolve requests and thus needs rf to satisfy 
i^ttp- Therefore, solutions that satisfy weak co-synthesis may not be attack- free. I 

5.2 The Need for a TTP 

We now provide a justification of the need for a TTP in fair non-repudiation protocols, 
given our synthesis objective. While this follows from [12, 21], our proof gives an alternative 
game-theoretic proof through synthesis. We present the following theorem which shows that 
if we remove the TTP, then both classical and assume-guarantee synthesis fail to synthesize 
a fair non-repudiation protocol. 

Theorem 4 (Classical and assume-guarantee synthesis fail without the TTP) 

For all refinements (J ■< O, the following assertions hold: 

1. Classical co-synthesis fails: \0 \\ R \\ ScJ % (po- 

2. Assume-guarantee synthesis fails: 

(a) \a II R || Scj % fa Vo ) r, 

(b) {0' || R || Sc\ C (cp R =► ipo); IR' || \\ Sc] C ( Vo <p R ); and 
\0'\\ R! || &]g(v>oAp*). 

Proof We note that as the TTP is not involved, AO, AR, EOOfc TP and EORj TP are always 
false. The agent objectives then simplify to, 



(po = OMi A OEORJ; 



<p R = n(EOO => OEOO^) 



For assertion 1, consider an arbitrary refinement O' ^< 0. We show a witness trace in 
[O' | R || Sc] that violates ipo- If O' does not send mi in the initial protocol state vq, then 
we have a witness trace that trivially violates ipo and hence [O' || R |j Sc] <2 (po- Assume 
O' sends mi and the channel between O and R eventually delivers all messages. Consider 
a partial trace ending in protocol state {Mi, EOO, M2, EOR}; messages mi and mi have 
been received. The only choice of moves for O' in this state of the protocol are 1 or 1713. If O' 
chooses 1, then the trace does not satisfy ipo and hence JO' || R || Sc] % ipo- If O' chooses 
m.3 and upon receiving 777,3 if R decides to stop participating in the protocol by choosing 1, 
then the trace satisfies <pr but violates ipo and hence JO' || R || Sc] % ipo- 

For assertion 2, consider an arbitrary refinement O ;< O. If O does not send mi in the 
initial protocol state Vq, we have a witness trace that trivially violates (po but satisfies (p R . 
Therefore, the trace does not satisfy ip R => (po and JO' || R || Sc] % (<£r ipo)- Assume 
the channels eventually deliver all messages and as in the proof of assertion 1, consider a 
partial trace ending in protocol state {Mi, EOO, M 2 , EOR}. To produce a witness trace we 
have the following cases based on the move chosen by O': 

— Case 1. 0' chooses i. Since O' chooses t, she does not send her signature EOOj?. 
Therefore, the trace does not satisfy (pn- Since R sends 777.4 only in response to m 3 , 
O does not get EOR^ from R in this case. Therefore, the trace does not satisfy (po 
either and hence satisfies ipo PR and tp-R => (po but does not satisfy ipo A (pn,. 
This leads to, [O' || R || Sc] C (tp => tp R ) and [O' || R || Sc] C (ip R => tp ) but 
[O' || R || Sc] % {(po A ipn.) ^ 

— Case 2. chooses 7773. Since 777,3 is eventually delivered, R gets his non- repudiation 
evidence and the trace satisfies (p R . If R now stops participating in the protocol and 
chooses the idle move t instead of sending 7774, then O does not get her non- repudiation 
evidence and the trace does not satisfy (po ■ We therefore have a witness trace that does 
not satisfy (p^ ipo- This leads to, [O' || R || Sc] % (<^r ipo) 

m 

If the agents co-operate, then a refinement O' •< O that sends mi and then 7773 upon 
receiving 7712 and similarly a refinement R' ■< R that sends 777,2 and 777,4 upon receiving mi and 
TO3 respectively, is a solution to the weak co-synthesis problem. The sequence of messages 
in this case is precisely (mi, 7772, 777,3, m i) which is the main protocol in all the fair exchange 
protocols we have studied. The problem arises when either O or R are dishonest and try to 
cheat the other agent. 

5.3 Assume-guarantee Solutions are Attack-Free 

In this subsection we show that assume-guarantee solutions are attack free; no coalition of 
participants can violate the objective of at least one of the other participants while satisfying 
their own objectives. Let P' = (O', R', TTP') be a tuple of refinements of the agents and the 
TTP. For two refinements P' = (O', R, TTP') and P" = (O", R", TTP"), wc write P' ^ P" 
if O' < O", R' r< R" and TTP' < TTP". Given P = (O, R, TTP), the most general behaviors 
of the agents and the TTP, let Pags be the set of all possible refinements P' < P that satisfy 
the conditions of assume-guarantee synthesis. For a refinement P' = (0',R',TTP') to be 
in Pags-, we require that the refinements O' < O, R' < R and TTP' < TTP satisfy the 
following conditions: 

For all fair schedulers Sc, for all possible behaviors of the channels, 

1. [(O' || R || TTP || Sc)] C ( m A ^ttp) 9o; 

2. [(O || R' || TTP || Sc)] C {p> A <^ T tp) => <Pr; 



3. [(O || R || TTP' || Sc)] C (tpo A m ) =► <^ T tp; 

4. |(0' || R' || TTP' || Sc)] C (^ A ipr A ^ttp). 

We now characterize the smallest restriction on the refinements TTP' ^ TTP that satisfy 
the implication condition, 

[(O || R || TTP' || Sc)] C fa, A ipa) <^ttp . (6) 

In order to characterize the smallest restriction on TTP' we first define the following con- 
straints on the TTP and prove that they are both necessary and sufficient to satisfy (6). 

AGS constraints on the TTP. We say that a refinement TTP' ^ TTP satisfies the AGS 
constraints on the TTP, if TTP' satisfies the the following constraints: 

1. Abort constraint. If the first request received by the TTP is an abort request, then her 
response to that request should be [a® , a^] ; 

2. Resolve constraint. If the first request received by the TTP is a resolve request, then her 
response to that request should be [rfp , r n ] ; 

3. Accountability constraint. If the first response from the TTP is [x, y], then for all subse- 
quent abort or resolve requests her response should be in the set {t, x, y, [x, y]}. 

We assume a reasonable TTP, as defined in Section 2; in particular she only responds to abort 
or resolve requests. In the following lemma, in assertion 1 we show that for all refinements 
TTP' ^ TTP that satisfy the AGS constraints on the TTP, we have TTP' is inviolable , i.e., 
neither agent can violate the objective <^ttp, and hence satisfies the implication condition 
(6); in assertion (2) we show that if TTP' does not satisfy the AGS constraints on the TTP, 
the implication condition (6) is not satisfied. 

Lemma 1 For all refinements TTP 1 TTP, the following assertions hold: 

1. if TTP 1 satisfies the AGS constraints on the TTP, then 

\0 || R || TTP 1 || Sc] C VTTP C A tp R ) VT TP- 

2. if TTP 1 does not satisfy the AGS constraints on the TTP, then 

[0 || R || TTP 1 || Scj % {ipo A <p R ) ip TT p. 

Proof For assertion 1, consider an arbitrary TTP' ^ TTP that satisfies the AGS constraints 
on the TTP. We consider the following cases of sets of traces of [O || R || TTP' || Sc] for the 
proof: 

— Case 1. Neither agent aborts nor resolves the protocol. In these traces, since the TTP 
is neither sent an abort nor a resolve request, <^ttp is satisfied trivially. Therefore, all 
these traces satisfy (<po A ips.) =>■ <^>ttp- 

— Case 2. The first request to the TTP is an abort request. For the set of traces where the 
first request to the TTP is an abort request, given TTP' satisfies the AGS constraints 
on the TTP, by the abort constraint, the response of the TTP to this request is [a§ , a^]. 
For all subsequent abort or resolve requests, by the accountability constraint, the TTP 
responds with a move in set {t, a^, afs [ a 2j a 2 ']}■ This implies that both agents get 
the abort token and neither agent gets non-repudiation evidences. Therefore, <^ttp is 
satisfied for all these traces and hence (ipo A (Pr) => (^ttp is also satisfied. 



— Case 3. The first request to the TTP is a resolve request. Similar to the proof of Case 2, 
in the set of traces where the first request to the TTP is a resolve request, by the resolve 
constraint, the TTP responds to this request with move [r^rf ']. Since the response of 
the TTP to all subsequent abort or resolve requests is in the set {i, r§, r^, [r® , r^]}, 
by the accountability constraint, the agents get their non- repudiation evidences and 
neither gets the abort token. Therefore, <pttp is satisfied for all these traces and hence 
(<po A </3r) =>- (Pttp is also satisfied and the result follows. 

For assertion 2, consider an arbitrary TTP' ^ TTP that does not satisfy the AGS 
constraints on the TTP. We assume a reasonable TTP and consider violation of the AGS 
constraints on the TTP on a case by case basis. For each case we produce a witness trace 
that violates the implication condition (ipo A ipp) =>■ <^ttp- We proceed as follows: 

— Case 1. The abort constraint is violated. To produce a witness trace we consider a 
partial trace that ends in protocol state {Mi,ABR°}; O requests the TTP to abort 
the protocol after sending message mi but before it is received. Since TTP' violates 
the abort constraint, the only choice of moves for TTP' are l or a® '. This leads to the 
following cases: 

• Case (a). TTP 1 chooses t. It is trivially the case that i^ttp is violated for this trace 
as ^'ptp is violated. At this stage in the protocol, there exists a behavior of O, 
R and the channel between O and R, where the channel delivers all messages and 
the agents co-operate and complete the protocol by exchanging their signatures. 
Therefore, tpo A ipn is satisfied but (^ttp is violated. Therefore, the trace does not 
satisfy (tp A (p R ) <^ttp- 

• Case (b). TTP 1 chooses a® ■ Since the channel between the agents and the TTP is 
resilient, O eventually receives her abort token AO. At this stage in the protocol, 
there exists a behavior of O, R and the channel between O and R such that the 
channel delivers all messages and the agents exchange their signatures, leading to 
the satisfaction of ipo A <pn but a violation of <^ttp an d hence ip ttp- Therefore, the 
trace does not satisfy (ipo A </?r) </?ttp- 

— Case 2. The resolve constraint is violated. To produce a witness trace we consider a 
partial trace that ends in protocol state {Mi, EOO, M2, EOR, RES°}; O resolves the 
protocol after messages m\ and TO2 have been received. Since TTP' violates the resolve 
constraint, the only choice of moves for TTP' are l or rip. An argument similar to the 
argument for cases 1(a) and 1(b) again leads to the satisfaction of (po Atpn but a violation 
of v'ttp • 

— Case 3. The accountability constraint is violated. To produce a wit- 
ness trace we consider a partial trace that ends in protocol state 
{Mi, EOO, M 2 , EOR, ABR°,RES R ,yl^,^,AO,AR}; O aborts the protocol and 
R resolves the protocol after messages m\ and have been received. The TTP receives 
the abort request before the resolve request and aborts the protocol by sending [a® , afl • 
Since TTP' violates the accountability constraint, the only choice of moves for TTP' to 
the resolve request from R are or [r^ , r^ 1 ] . The leads to the following cases: 

• Case (a). TTP 1 chooses r%. This violates ^xtp an< ^ Vttp anc ^ hence violates <^ttp- 
At this stage in the protocol, there exists a behavior of O, R and the channel between 
O and R such that the agents exchange their signatures and complete the protocol 
thus satisfying tpo A </?r. Therefore, this trace does not satisfy the implication con- 
dition (ipo A (pn) =>■ (Pttp- 

• Case (b). TTP 1 chooses \r§ This violates <^xtp an( ^ 'Pttp an d hence violates 
</?ttp- An argument similar to Case 2(a) leads to a violation of (tpo A </5r.) =>• <^ttp 
for this trace. 



As we have shown witness traces that do not satisfy the implication condition (ipo A 
<Pr) =>■ Pttp when TTP' violates any of the AGS constraints on the TTP, the result 
follows. 

■ 

In the following theorem we show that all refinements P' G Pags are attack-free; no 
subset of participants can violate the objective of at least one of the other participants while 
satisfying their own objectives. 

Theorem 5 All refinements P' G Pags are attack-free. 

Proof We show that for all refinements P' G Pags there exists no y-attack for all Y C 
{0,R,TTP}. Let P' = (0',R',TTP') and A = {0,R,TTP} be the set of participants. Wc 
have the following cases: 

— Case 1. \Y\ = 0. In this case Y = and (A\Y)' = {O', R', TTP'}. Since (A\Y)' are the 
refinements in P' which is in Pag Si by the weak co-synthesis condition, the objectives 
ipo, Pr and ifTTP are satisfied. Therefore there is no y-attack in this case. 

— Case 2. \Y\ = 1. Wc first show that there is no y-attack for Y = {O}. The case 
of y = {R} is similar. By Lemma 1 (assertion 2), for all refinements P' G Pags, 
the refinement TTP' must satisfy the AGS constraints on the TTP. This implies, by 
Lemma 1 (assertion 1), neither O nor R can violate <pttp- Since pttp cannot be violated, 
a y-attack in this case must generate a trace where ipn is violated but ipo is satisfied. But 
this violates the implication condition, ipo A </5ttp =^ VRj contradicting the assumption 
that P' G Pags- We now show that there is no y-attack for Y = {TTP}. Since we 
assume the TTP is reasonable, in all traces where neither agent sends an abort nor a 
resolve request to the TTP, the TTP cannot violate the agent objectives. In all traces 
where the first request from the agents is an abort request, given a reasonable TTP, 
since the trace satisfies pttp, it must be the case that the response to that request is 
[a°,a^]. Similarly, for resolve requests. If the first response of the TTP is [x,y], then 
the only responses that satisfy </?ttp, to all subsequent abort and resolve requests, are 
in the set {t, x, y, [x,y]}. This implies that either the agents get abort tokens or non- 
repudiation evidences but never both, which implies po and pp. are satisfied in all these 
traces. Therefore there is no y-attack in this case as well. 

— Case 3. \Y\ = 2. Since P' G Pags, by the implication conditions of assume-guarantee 
synthesis, there cannot be a y-attack where \Y\ = 2. 

— Case 4- \Y\ — 3. It is trivially the case that there is no y-attack as (A \ Y)' = 0. 

Since we have shown that for all refinements P' € Pags, for all Y C A, there is no y-attack 
in P' . we conclude that all refinements in Pags are attack- free. ■ 
We now present the following theorem that establishes conditions for any refinement in 
Pags to be an attack-free fair non-repudiation protocol. 

Theorem 6 (Fair non-repudiation protocols) For all refinements P' € Pags, if\u II 
R' || TTP 1 || Scj n (ONROA ONRR) ^ 0, then P' is an attack-free fair non-repudiation 
protocol. 

Proof Consider an arbitrary refinement P' = (0',R',TTP') G Pags- 

Since P' G Pags, 

by Theorem 5, it is attack-free. Further, by the weak co-synthesis condition, we have JO' j| 
R' || TTP' || Sc] C (ip A ip n A ^ttp) and hence by Theorem 1, wc have [O' || R' || 
TTP' || Sc] C pf. Thus P' satisfies fairness. Using PCS, that provides the designated 



verifier property, to encrypt all messages, we ensure that the protocol is abuse-free. Since 
[O' || R' || TTP' || Sc] n (ONRO A ONRR) ^ 0, the refinement P' enables an exchange of 
signatures and hence is an exchange protocol. Given NRO and NRR are non-repudiation 
evidences for R and O respectively, we conclude that P' is an attack-free fair non-repudiation 
protocol. ■ 



5.4 Analysis of Existing Fair Non-repudiation Protocols as Pags Solutions 

In this subsection we analyze existing fair non-repudiation protocols and check if they are 
solutions to assume-guarantee synthesis. To facilitate the analysis, we first present an alter- 
nate characterization of the set Pags of assume-guarantee refinements. We then show that 
the KM non-repudiation protocol with offline TTP is in Pags whereas the ASW certified 
mail protocol and the GJM protocol are not. Finally, we present a systematic exploration 
of refinements leading to the KM protocol. Towards an alternate characterization of Pags, 
we begin by defining constraints on O, similar to the AGS constraints on the TTP that 
ensure satisfaction of the implication condition for O. We then define maximal and minimal 
refinements that satisfy all the implication conditions of assume-guarantee synthesis and 
introduce a bounded idle time requirement to ensure satisfaction of weak co-synthesis. 

AGS constraints on O. Given P = (O, R, TTP), the most general behaviors of the agents 
and the TTP, we say a refinement P' < P satisfies the AGS constraints on 0, if the following 
conditions hold: 

1. a? ?r >(vo); 

2. EOO^ 0r O '({Mi,EOR,ABR°}); and 

3. a° £r O '({Mi,E0R,M 3 }). 

In the Appendix, we show that these constraints are both necessary and sufficient restric- 
tions on the moves of O that satisfy the implication condition ((^rA^ttp) =^ <Po of assume- 
guarantee synthesis. We also show that all refinements R' < R satisfy the implication con- 
dition ((po A <pttp) =*■ ¥?r of assume-guarantee synthesis. 

The maximal refinement P*. We define the maximal refinement P* = (0*,R*,TTP*) 
as follows: 

1. 0*^0 satisfies the AGS constraints on O and for all O' that satisfy the constraints, 
we have O' ^ O*; 

2. R* = R; and 

3. TTP* < TTP satisfies the AGS constraints on the TTP and for all TTP' that satisfy 
the constraints, we have TTP' < TTP*. 

We show in the Appendix the correspondence between P* and the smallest restriction on 
the moves of O and the TTP so that P* is a witness to Pags- While there are restrictions 
on O and the TTP, there are no restrictions on R. 

The minimal refinement P*. We present the smallest refinement P* = (O*, R», TTP») 
in Pags, as the largest restriction on the moves of O, R and the TTP, as follows: 

1. P* r< P*; 

2. Moveso, ={mi,oP}; 

3. McwesR, = {/,}; 

4. O* satisfies the AGS constraints on O; and 

5. TTP* satisfies the AGS constraints on the TTP. 



Protocol 1: The KM, ASW and GJM Main Protocol 



sends mi to R; 
R sends m-z to O; 

if (R does not send 772,2 on time) then 



O sends aY to the TTP; 



else 



O sends 7713 to R; 

if (0 does not send 7713 on time) then 

R sends rf to the TTP; 
else 

R sends 7714 to O; 

if (R does not send 7714 on time) then 
_ O sends r? to the TTP; 



If nil & Moves Q t , then (po cannot be satisfied as 0* does have the ability to initiate 
a protocol instance. If af $ MovesQ t , then (fo cannot be satisfied whether or not mj 
is delivered, as R* has no choice of moves other than 1, If O* does not satisfy the AGS 
constraints on O and sends a® in the initial state of the protocol Vo, then the resulting trace 
trivially violates tpo while satisfying ipn A ^ttp- 

The bounded idle time requirement. We say that a refinement P 1 satisfies bounded 
idle time if O and the TTP in P' choose the idle move i, when scheduled by Sc, at most 
b times for a finite b £ N. We prove that satisfaction of the bounded idle time requirement 
is both necessary and sufficient to ensure satisfaction of the weak co-synthesis condition of 
assume-guarantee synthesis, for all refinements that satisfy the AGS constraints on the TTP 
and the AGS constraints on O, in the Appendix. 

Alternate characterization of Pags- We now use P* and P* to provide an alternate 
characterization of the set Pags- We first define the following set of refinements P: 

P = {P' = (O', R', TTP') I P' satisfies bounded idle time; P* ■< P' < P*; 
TTP' satisfies the AGS constraints on the TTP} . 

The following lemma states that the set P and the set Pags coincide. We present the lemma 
here and prove it in the Appendix. 

Lemma 2 (Alternate characterization of Pags) We have P= Pags- 

The KM non-repudiation protocol. The KM protocol, like the ASW and GJM protocols 
consists of a main protocol, an abort subprotocol and a resolve subprotocol. The main 
protocol is the same as in the ASW and GJM protocols and is defined in terms of messages 
in Protocol 1. The abort subprotocol and the resolve subprotocol are denned in Table 1. 
Let Pkm = {Ok m, Rk"m > TTP^a/) correspond to the agent and TTP refinements in the 
KM protocol. Since O does not abort the protocol in state vo and in state {Mi,EOR, M3} 
in Okm, it follows that O* ^ Okm di O*. It is easy to verify that R* ^ Ra'm ^ R* 
and TTP* ^ TTP km ^ TTP*. Moreover, TTPifAf satisfies the AGS constraints on the 
TTP and Pkm satisfies bounded idle time. Therefore Pkm € P and hence by Lemma 2, 
Pkm e Pags- 



The ASW certified mail protocol. The ASW certified mail protocol differs from the 
KM protocol in its abort and resolve sequences. To define the abort protocol, the TTP 
needs a move req° that can be used to request O to resolve a protocol instance if R 
has already resolved it. The abort and resolve subprotocols are defined in Table 1. Let 
Pasw = (Oasw, Rasw, TTP asw) correspond to the agent and TTP refinements in 
the ASW certified mail protocol. Since TTP asw neither has move [a§ , of - ] nor [r® , rf"] , 
TTP asw docs not satisfy the AGS constraints on the TTP and hence by Lemma 1 (asser- 
tion 2), we have Pasw & Pags- Moreover, the ASW certified mail protocol is not attack- free 
as shown by the following attacks [16]: Consider a behavior of the channels that deliver all 
messages and the sequence of messages (m 1; rf-, rf 1 , af, req°). This is a valid sequence in 
the ASW protocol. In this sequence a malicious R decides to resolve the protocol after 
receiving mi and thus succeeds in getting EOOfc TP . When Oasw attempts to abort the 
protocol, TTPasw expects her to resolve the protocol as R has already resolved it, but 
Oasw cannot do so as she does not have mi. Therefore, ipo is violated; Oasw cannot abort 
or resolve the protocol, neither can she get R's signature. Consider the sequence of messages 
(mi, ?7i2, rp, rfp, af, a^?). This is an attack that compromises fairness for R; in the words of 
[16] the protocol designers did not foresee that O could resolve the protocol and then abort 
it. This violates </?r and TTP accountability, violating ^ttp, while satisfying ipo- 

The GJM protocol. The GJM protocol differs in the abort and resolve sequences as shown 
in Table 1. Garay et al., introduced the notion of abuse- freeness and invented private contract 
signatures or PCS, a cryptographic primitive that ensures abuse- freeness and optionally 
TTP accountability [13]. Further, the GJM protocol is faithful to the informal definition of 
fairness in that, when a protocol instance is aborted, neither agent gets partial information 
that can be used to negotiate a contract with a third party. This is ensured by the use 
of PCS which provides the designated verifier property] only R can verify the authenticity 
of a message signed by O and vice versa. The use of PCS in addition to the fixes to the 
original protocol proposed in [28] ensure that the protocol is free from replay attacks, is fair 
and abuse-free. Let Pgjm = {Ogjm, Rgja/, TTPgjm) correspond to the agent and TTP 
refinements in the GJM protocol. Since TTPgjm neither has move [a® , a^} nor [r® , r^] , 
TTPgjm does not satisfy the AGS constraints on the TTP and hence by Lemma 1 (assertion 
2), we have Pgjm ^ Pags- Pgjm does not provide TTP inviolability and is not attack- free 
by our definition. Consider the message sequence g = (mi,m2, 7713, rf , r!? }; agent R does not 
send his final signature but goes idle and stops participating in the protocol after receiving 
O's signature. Oqjm resolves the protocol by sending r± and gets EOR fc . In this case, 
while the objectives of O and R are satisfied, the TTP cannot satisfy ^ttp unless Rgjm 
co-operates and sends a resolve request rf after having satisfied his objective, which he may 
never do; it is rather unrealistic to expect that he will. Precisely, g £ [O || R || TTPgjm | Sc] 
and g {(po A <p R ) => <^ttp- 

Theorem 7 The refinement corresponding to the KM non-repudiation protocol is in Pags 
and the refinements corresponding to the ASW certified mail protocol and the GJM protocol 
are not in Pags- 

Computation. We can obtain the solution of assume-guarantee synthesis by solving graph 
games with secure equilibria [10]. In fact, the refinements that satisfy assume-guarantee 
synthesis precisely correspond to secure equilibrium strategies of players in the game. This 
result was presented in [9]. All the objectives we consider in this paper are boolean combina- 
tions of Buchi (DO) and co-Biichi (On) objectives. It follows from [9] that secure equilibria 
with combinations of Buchi and co-Biichi objectives can be solved in polynomial time. This 
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Table 2: The moves that satisfy the objectives of assume-guarantee synthesis for Oi and Ri 
are shown in this table at relevant protocol states represented by message sequences, when 
the agents have no ability to resolve the protocol. 



gives us a polynomial time algorithm for the assume-guarantee synthesis of fair exchange 
protocols. 

Prom Pags to Pkm- Wc now first present a systematic exploration of the refinements of 
P = (O, R, TTP), the most general behavior of the agents and the TTP, leading to the KM 
protocol. We consider the following refinements, that we assume satisfy bounded idle time 
and the AGS constraints on the TTP, and study their properties: 

1. P* = (0», R», TTP*); the minimal refinement. 

2. P 1 = (Oi,Ri,TTPi) with 

Moveso 1 = Moveso, U {1,7713}, Moves Rl = Moves Rr U {777,2,7714} and TTPi = TTP*. 

3. P 2 = (0 2 ,R 2 ,TTP 2 ) with 

Moveso 2 = Moves 0l U {r?}, Moves R2 = Moves Rl and TTP 2 = TTP*. 

4. P 3 = (0 3) R3,TTP 3 ) with 

Moveso 3 = Moveso 2 \ {a?}, Moves R3 = Moves Rl U {rf} and TTP 3 = TTP*. 

5. P* = (0*,R*,TTP*); the maximal refinement. 

Analysis of the refinement P*. It is easy to check that while P* G Pags, it always ends 
aborted as of is the only choice of moves for O* after mi is sent. It is not an exchange 
protocol as it does not enable an exchange of signatures. 

Analysis of the refinement Pi. In this case, the agents do not have the ability to resolve 
the protocol. The objectives of the agent and the TTP then reduce to, 

ipo = OMi A □(oEORfe V (OAO A □-EOOf)), 
ip R = □(EOO => (OEOO^ V (OAR A n-iEOR^ )), 
ip TTP = n(ABR ^ (OAO V OAR)) A n(AO ^ OAR) A n(AR ^ OAO) . 

The agent moves that extend partial protocol runs such that the implication conditions 
of assume-guarantee synthesis arc satisfied in all resulting traces is shown in Table 2. Each 
row in the table corresponds to a protocol state and the moves available to Oi and Ri at 
that state, such that the implication conditions of assume-guarantee synthesis arc satisfied 
in all resulting traces. For example, in the row corresponding to (mi), we have two move 
choices for Oi, one that selects 1 and the other that selects af; Oi can choose to wait for 
R to send m 2 or choose af. A similar interpretation is attached to the moves of Ri. Wc 
have P* -< P\ < P*. As Pi satisfies bounded idle time and the AGS constraints on the 
TTP, Pi e P and hence, by Lemma 2, Pi € Pags- The refinement Pi, while attack- free, 
is not a fair non-repudiation protocol as it does not enable an exchange of non-repudiation 
evidences. The protocol always ends up aborted as cif 1 is the only move that satisfies (po for 



Delivered message sequences 


Moves for :i and R3 


Choices for O3 


Choices for R3 




(mi) 
(mi, m 2 ) 
(mi, m 2 , m 3 ) 


m 1 

L 

m 3 

L 


mi 

L 

r? 
r? 


L 

m,2 

L 
L 


L 

rf 
rf 
1714 


l 

either 7712 or rf 
either t or rf 
rf 



Tabic 3: The moves that satisfy the objectives of assume-guarantcc synthesis for O3 and R3 
are shown in this table at relevant protocol states represented by message sequences, when 
the agents have no ability to abort the protocol. 



O in state {Mi, EOO} against all behaviors of R and the TTP; once Oi sends her signature 
in 771,3, there is no move available to Oi such that satisfaction of ipji A <^ttp is guaranteed 
to satisfy tpo, as B may decide to stop participating in the protocol. 

Analysis of the refinement P2. In this case, R has no ability to resolve the protocol. It 
is easy to verify that P* X P2 -< P*. Therefore, P2 £ P and hence, by Lemma 2, P2 £ Pags- 
This protocol is a fair non-repudiation protocol that satisfies fairness, balance and timeliness. 
If O does not send 7773, then R2 has no choice of moves. But since P2 satisfies bounded idle 
time, O2 will eventually either abort or resolve the protocol. As TTP2 satisfies the AGS 
constraints on the TTP, either both agents get abort tokens or they get their respective 
non-repudiation evidences eventually. 

Analysis of the refinement P3. Since O has no ability to abort the protocol, while both 
agents have the ability to resolve it, the predicates AO and AR are always false. The agent 
and TTP objectives then reduce to, 

Lpo = OMi A □(OEORfc V OEORfc TP ), 
(p R = □(EOO => (OEOO^ V OEOO£ TP )), 
^ XTP = □(RES =► (OEOO£ TP V OEOR^ TP )) A □(EOO^ TP =► OEOR£ TP )A 
□ (EOR£ tp => OEOOj TP ) . 

The moves of the agents that satisfy the objectives of assume-guarantee synthesis at select 
protocol valuations represented by message sequences are shown in Table 3. It is easy to 
verify that as P* ^ P 3 X P*, P 3 g P and hence by Lemma 2, P 3 £ Pags- Since TTP 3 
satisfies the AGS constraints on the TTP, P3 is a fair non-repudiation protocol similar to 
the ZG optimistic non-repudiation protocol, but it does not satisfy timeliness [14] as O docs 
have the ability to abort the protocol. If message mi is not delivered, then O has no choice 
of moves to satisfy Lpo, while tpn A </?ttp are satisfied trivially. Balance does not apply in 
this case as there are no abort moves. 

Analysis of the refinement P*. In the maximal refinement P* = (O*, R*, TTP*), since 
TTP* satisfies the AGS constraints on the TTP, if her first response to an abort or resolve 
request is [a;, y\, she can choose any move in {u, x, y, [x, y]} for all subsequent abort or resolve 
requests. Consider a refinement Pkm = (Okm^km^^Pkm) ^ P*j where Okm and 
Kkm correspond to O* and R* and TTP km d: TTP* such that TTPkm goes idle after 
her first response to an abort or resolve request. Pkm is then the KM protocol. We remark 
that given the choices of moves for the TTP after her first response as suggested by assume- 
guarantee synthesis, choosing 1 satisfies the informal notion of efficiency. This refinement 
ensures fairness, balance and timeliness. 



Protocol 2: Main Protocol of our Symmetric Non-repudiation Protocol 



O sends mi to R; 

if (R does not want to participate) then 



R sends af to the TTP; 



else 



R sends mi to O; 

if (R does not send 7712 on time) then 

O sends a? to the TTP; 
else 

O sends 7713 to R; 

if (O does not send 7713 on time) then 

if (R does not want to participate) then 

R sends af to the TTP; 
else 

_ R sends rf to the TTP; 



else 



R sends 7714 to O; 

if (R does not send 777,4 on time) then 
_ O sends r? to the TTP; 



6 A Symmetric Fair Non-Repudiation Protocol 

In the KM, ASW and GJM protocols, R cannot abort the protocol. While the ability of 
O to abort the protocol after sending mi is required in the event mi is not delivered or R 
does not send m 2 , it can be used to abort the protocol even if all channels are resilient or 
if O decides not to sign the contract after receiving m 2 . The protocols give O the ability to 
postpone abort decisions but deny R a similar ability. While this does not violate fairness 
or abuse-freeness as per prevailing definitions, it is not equitable to both agents. If R does 
not want to participate in a protocol instance, then the only choice of moves for R is t and 
not m 2 ; O will then eventually abort the protocol. Once m 2 has been sent, if R decides not 
to participate in the protocol and not be held responsible for signing the contract, he has 
no choice of moves. If he decides to ignore 7713, then O will resolve the protocol resulting in 
non-repudiation evidences being issued to O, using which she can claim R is obligated by 
the contract. 

In this section we present a symmetric fair non-repudiation protocol that gives R the 
ability to abort the protocol, assuming that the channels between the agents and the TTP 
are operational. If we enhance the ability of R by including an abort move af without 
enhancing O and the TTP, then assume-guarantee synthesis fails. By enhancing both O and 
the TTP, using assume-guarantee analysis, we design a new fair non-repudiation protocol 
that (a) has no F-attack for all Y C {O, R}; and (b) that provides R the ability to abort. In 
the following, we show that if we fix the behavior of the TTP, ensuring TTP inviolability, 
then the protocol is attack-free. 

Consider the following refinement P s = (O s , R s , TTP S ) with P* < P s defined as follows: 

Movcsq s = Movcsq* U {res }; 
Moves r s = Moves a* U {a?}; and 
MovesTTP s = MovesTTP* U {req°}. 



Protocol 3: Abort Subprotocol. X e {0, R} 



1 X sends of to TTP; 

2 if (the protocol has been aborted or resolved) then 

3 I TTP goes idle; 



4 else 



5 if (X = R) then 

6 TTP sends req° to O; 

7 if (O sends res on time) then 

8 TTP marks this protocol instance as resolved in its persistent DB; 

9 TTP sends [r°,r?] to O and R; 



12 



10 



11 



else 

1 TTP marks this protocol instance as aborted in its persistent DB; 

2 TTP sends [o°,aa'] to O and R; 



13 



else 



15 



14 



TTP marks this protocol instance as aborted in its persistent DB; 
TTP sends [a§,af] to O and R; 



The move req may be sent by TTP S only after receiving an abort request from R. The 
move res° may be sent by O s only after receiving req° . We present the main protocol and 
the abort subprotocol for our symmetric fair non-repudiation protocol in Protocol 2 and 
Protocol 3; the resolve subprotocol is identical to the one in the KM protocol. 

To facilitate the assume-guarantee analysis of P s , we present the following enhanced AGS 
constraints on the TTP that is both necessary and sufficient to ensure TTP inviolability 
(neither agent can violate <^ttp): 

1. Abort constraint. If the first request received by the TTP is af 1 , then her response to 
that request should be [a®,a^]; If the first request received by the TTP is af", then her 
response to that request should be req°; 

2. Resolve constraint. If the first request received by the TTP is a resolve request, then 
her response to that request should be [r® , r^] ; If the TTP receives res in response to 
req° within bounded idle time, then her response should be [r® , r^] , otherwise it should 
be[a°a*]. 

3. Accountability constraint. If the first response from the TTP is [x, y] or the first response 
from the TTP is req and the next response is [x, y], then for all subsequent abort or 
resolve requests her response should be in the set {t,x,y, [x,y]}. 

The enhanced AGS constraints on the TTP are required both to satisfy the implication 
condition (</?o A ¥>r) <Pttp and the condition for weak co-synthesis, (</?o A ips, A ^ttp)- 
Since TTP S waits for a bounded number of turns before sending abort tokens to both agents 
after sending req° , we require that (a) the channels between the agents and the TTP are 
operational, and (b) the time taken to deliver messages req and res° be subsumed by 
the bound on idle time chosen by the TTP between sending req and abort tokens. As 
there is no bound on the time taken to deliver messages on resilient channels, the above 
AGS constraints on the TTP cannot be enforced without operational channels. Consider a 
partial trace that ends in protocol state {Mi, EOO, M2, EOR, M3}; messages mi and m,2 
have been received and 777,3 has been sent. If R now aborts the protocol and the TTP sends 
req° to O, then resilient channels can delay delivering either req° or res° sufficiently for 
the TTP to abort the protocol. In this case if 7773 is eventually delivered, ipo is violated 
whereas </?r A <^ttp is satisfied. 



In the following lemma we show that in P s , O cannot violate tp R while satisfying ipo, R 
cannot violate ipo while satisfying ip R and O and R cannot violate <^ttp while satisfying 
their objectives. That is, in the refinement P s we have [O || R || TTP S || Sc] C (ip A (p R ) => 
i^ttp, and [O || R s || TTP || Sc] C (ipo A <pttp) => <fR- However, it is not the case that 
[O s || R || TTP || Sc] C (ip R A ifiTTP ) =*► ipo- But if the TTP is fixed then the implication 
condition holds, i.e., [O s || R || TTP S || Sc] C cp R =>- ip Q (v?R A <pttp) => V?o- It follows 
that under the assumption that the TTP does not change her behavior, while satisfying her 
objective, the symmetric protocol is attack-free. We present the following lemma and prove 
it in the Appendix. 

Lemma 3 For the refinement P s = (O s ,R s , TTP S ), if the channels between the agents 
and the TTP are operational, then there exists no Y -attack for all Y <Z {0, R}. 

The assumption that the bound on idle time of the TTP between sending req° and 
abort tokens subsume the time taken for the delivery of messages req and res can easily 
be enforced before the beginning of a protocol; O agrees to participate in the protocol with 
a given TTP, only if the bound chosen by the TTP is satisfactory. We point out that in 
state {EOO, M2}, if R sends an abort request, he still needs O's co-operation to abort the 
protocol. Since she has 7712, she can launch recovery if she so desires by composing res° 
when she receives req . But this is identical to the ability of O in aborting the protocol 
after she sends mi. R can resolve the protocol as soon as he receives m\ and thus hold O as 
a signatory to the contract even if she decided to abort the protocol after sending m\. The 
protocol is therefore symmetrical to both O and R. In addition, we claim that this version 
of the protocol provides better quality of service in terms of timeliness; O does not have to 
wait after sending m\ for R to send 7772, in protocol instances where R has no desire to sign 
the contract. The following theorem states that if the TTP does not change her behavior, 
then the refinement P s is an attack-free fair non-repudiation protocol. The proof is in the 
Appendix. 

Theorem 8 (Symmetric attack-free protocol) Given the channels between the agents 
and the TTP are operational and the TTP does not deviate from satisfying the enhanced 
AGS constraints on the TTP, the refinement P s = (O s ,R s , TTP S ) is an attack-free fair 
non-repudiation protocol. 

From Pags to P s . We can systematically analyze refinements leading to P s . Similar to 
the case of synthesizing the KM non-repudiation protocol, we now present the steps that 
explore refinements leading to P s . We assume the TTP satisfies the AGS constraints on the 
TTP and all refinements satisfy bounded idle time. The analyzed refinements are as follows: 

1. P* = (O*, R*, TTP*); the minimal refinement. 

2. P 1 = (Oi,Ri,TTPi) with 

Moveso 1 = Moveso, U {(,,7713}, Moves Rl — Moves Rf U {7712,7714} and TTPi = TTP*. 

3. P 2 = (0 2 ,R 2 ,TTP 2 ) with 

Moveso 2 = Moves 0l U {r?}, Moves R2 = Moves Rl and TTP 2 = TTP*. 

4. P 3 = (0 3 ,R 3 ,TTP 3 ) with 

Moveso 3 = Moveso 2 \ {a?}, Moves Rd = Moves Rl U {rf} and TTP 3 = TTP*. 

5. P* = (O*, R*, TTP*); the maximal refinement. 

6. P s = (O s ,R s ,TTP s ) with 

Moveso s = Moveso* U {res°}, Moves Rs = Moves R * U {af } and 
MovesTTP , = McwesTTP* U {req°}. 



Implementation. We have implemented a prototype for assume-guarantee synthesis of 
fair non-repudiation protocols. Our implementation considers triples of refinements O' ^ 0, 
R' < R, and TTP' ^ TTP and then explores all possible message sequences given these 
participant refinements. We implemented a scheduler that backtracks and systematically 
schedules all participants at all protocol states. Using the scheduler, given a subset of par- 
ticipant refinements, with all other participants being most general, the implementation 
explores all possible traces and checks if each trace satisfies the required AGS conditions. 
Note that in checking the satisfaction of the AGS conditions, for the implication conditions 
we need to consider the most general participants against each of the refinements O', R' and 
TTP'. The checking of the implication conditions is achieved by solving secure equilibrium 
on graph games with lexicographic objectives. Our implementation generates all possible 
AGS solutions. The analysis of the AGS solutions generated by our implementation was 
key in obtaining the symmetric protocol; using a procedure similar to obtaining Pkm from 
Pags- 

7 Conclusion 

In this work we introduce and demonstrate the effectiveness of assume-guarantee synthesis 
in synthesizing fair exchange protocols. Our main goal is to introduce a general assume- 
guarantee synthesis framework that can be used with a variety of objectives; we considered 
a TTP objective that treats the agents symmetrically, but the framework can be used with 
possibly weaker TTP objectives that treat agents asymmetrically. Using assume-guarantee 
analysis we have obtained a new symmetric protocol that is attack-free, given the channels 
to the TTP are operational. While the need for operational channels may be considered 
impractical, we remark that it is this flexible framework that could automatically generate 
such protocols of theoretical interest in the first place. For future work we will study the 
application of assume-guarantee synthesis to other security protocols. 
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8 Appendix 



Translating protocol models to process models. We now present a translation from 
the protocol model introduced in Section 2 to the process model introduced in Section 4. 
We take Moves = M., as the set of process moves, corresponding to the set of all messages 
in M. For 1 < i < n, we map each participant to a process Pi as follows: 

— Xi = Vi-i U {Li}, is the set of variables of process Pi that includes all participant 
variables Vi-\ and a special variable Li corresponding to control points, taking finitely 
many values in N, 

— for all valuations / G Ti[Xi], we have Pi(/) = /li_i(/ I Vi-i) and 

— Si : Ti[{Li\] x JFi[Xi \ {Li}} x Moves t-> x Ti\Xi \ {Li}] is the process transition 
function that exactly corresponds to the participant transition function 

The sets Xi form a partition of X = (J" =1 Xi. The set of processes Pi, given all possible 
behaviors of a fair scheduler Sc, corresponds to the most general exchange program. The 
realization of a protocol corresponds to a refinement P! ^ Pi for 1 < i < n, where each 
participant maps to the process P/ as follows: 

— X| = Xi = Vi-i U {ii} is the set of variables of process P/, 

— for all valuations / 6 T[ [X<], we have r/(/) = -4<_ x (/ 4- and 

— for all valuations / G P;[X'], for all moves m 6 Moves, we have <^(/, m) = 

4-i(/(£i),/4.Vi_i,m). 

A protocol instance (protocol run) is a trace in [P{ || P 2 . . . || P^ || Sc](wo) for an initial 
valuation v G ^"[-X - ]- The specifications of the participants, which were defined as a set of 
desired sequences of messages, are subsets of traces in \P[ \\ P' 2 . . . || P' n || Sc](u ). Given 
specifications ipi for process P, ; , a F-attack for Y C {P 1; P 2 , . . . , P„} satisfies ^ for all 
Pi G y, while violating tpj for at least one process Pj G ({Pi, Pi, ■ ■ ■ , P n } There 
are three participants in a two party fair non-repudiation protocol, the originator O, the 
recipient R and the trusted third party TTP. We therefore take n = 3 in modeling two 
party fair exchange protocols in the above translation. 

We now prove Lemma 2. Given a refinement P' = (0',R',TTP') ^< P, we first charac- 
terize the smallest restriction on O' and R' that satisfy the implication conditions: 

[O || R || TTP || Sc] C (cpo A <Pttp ) => Vr5 and (7) 
10' || R || TTP || Sc] C ( m A (^ttp) => fo ■ (8) 

We show that for all refinements R' ^ R, the implication condition (7) holds. In order to 
characterize the smallest restrictions on O that satisfies the implication condition (8), wc 
recall the following constraints on O. We show that these constraints are both necessary and 
sufficient to satisfy (8). 

AGS constraints on O. We say that a refinement O' < O satisfies the AGS constraints 
on O if O' satisfies the following constraints: 

1. a? £P 'M; 

2. EOO^ £r O '({Mi,E0R,ABR o }); and 

3. a? £Po'({Mi,EOR,M 3 }). 

The most flexible refinements O' < O and R' < R. We now characterize the most 
flexible refinements O' ^< O and R' ■< R that satisfy the implication conditions (</?r A 
ip TTP ) =>• <p and ((po A <^ttp) => <Pr. 



Lemma 4 For all refinements E! ^ R, the following assertion holds: 

{0 || R' II TTP || Scj C fe> A <~pttp) => ¥>k. 

Proof Consider an arbitrary refinement R' ;< R. We have the following cases of sets of traces 
of [O || R || TTP || Sc] for the proof: 

— Case 1. Set of traces where 7773 has been received. For all traces where 7773 has been 
received, ipn is satisfied. Therefore all these traces satisfy the implication condition, 

(ifiO A <^TTP) <fK- 

— Case 2. Set of traces where 7773 has not been received. For all traces where 7713 has not 
been received, the traces where either tpo or <^ttp is violated, satisfy the implication 
condition (ipo A <^ttp) =^ ^R trivially. The interesting case are those traces that satisfy 
ipo A ifTTP but violate tpn. These are exactly the traces where O does not have EOR^ , 
since 7774 is not sent before receiving 777,3, an d R does not have EOO fc , as otherwise tp^ 
would be satisfied. We have following cases that lead to a contradiction: 

• Case (a). O aborts the protocol. In these traces, since <^ttp is satisfied, the abort 
token must have been sent to both agents, and since neither agent will be sent the 
other's signature and the channels between the agents and the TTP are resilient, 
the traces satisfy (pn, leading to a contradiction. 

• Case (b). or R' resolve the protocol. In these traces, since </?ttp is true, the TTP 
sends EOOj TP to R and EORj TP to O and never sends either AO or AR. This 
implies, given the channel between the agents and the TTP is resilient, the traces 
satisfy </Jr, leading to a contradiction. 

• Case (c). R' chooses move 1. In these traces, since ipo is true, either O aborts 
the protocol after sending mi or she chooses to abort or resolve the protocol after 
receiving 7772. In either case, given the traces satisfy v?ttp, by the above argument 
ipn is satisfied as well, irrespective of the behavior of the channel between O and R. 
This again leads to a contradiction. 

Since we have shown that for all traces, either c^r is satisfied or satisfaction of ipo A </Jttp 
implies satisfaction of (pn, we conclude that for all refinements R' < R the assertion holds. 
■ 

It follows from Lemma 4, that as R' can always resolve the protocol in state {EOO} 
and all successor states, such that the resulting trace satisfies (ipo A v?ttp) =^ 'PR-, we have 
«7 2 £ r R '({EOO}). Similarly, 7774 £ r R / ({EOO, M 2 , EOO°}) as tpn is satisfied in all traces 
where 7773 has been received, thus satisfying (ipo A <^ttp) => 'PR- 

In the following lemma, in assertion 1 we show that for all refinements O' ^< O that 
satisfy the AGS constraints on O, the implication condition (8) is satisfied; in assertion 2 
we show that if O' does not satisfy the AGS constraints on O, the implication condition (8) 
is violated. 

Lemma 5 (The smallest restriction on O' ^ O) For all refinements O 1 < 0, the 
following assertions hold: 

1. if U satisfies the AGS constraints on 0, then 

\0 II R II TTP || Scj C (<p R A ip TT p) =► ip . 

2. if O 1 does not satisfy the AGS constraints on O, then 



10' || R || TTP || Scj % (<p R A cpttp) => <Po- 



Proof Consider an arbitrary refinement 0' ^ O that satisfies the AGS constraints on O. We 
have the following cases of sets of traces of [O' || R || TTP || Sc] for the proof: 

— Case 1. Set of traces where 777,4 has been received. In the case of classical co-synthesis, 
an adversarial R will never send 777,4 as that satisfies tpo unconditionally, but in assume- 
guarantee synthesis, from Lemma 4, since all refinements of R satisfy the weaker condi- 
tion of (tpo A </?ttp) => ¥>R, 777,4 € r R /((EOO, Ah, EOO°)). For all traces where 7714 has 
been received, ipo is satisfied. Therefore all these traces satisfy the implication condition 

(ip-R, A </?TTp) =>■ PO- 

— Case 2. Set of traces where rrn has not been received. For all traces where run has not 
been received, the traces where either ip-R, or (/?ttp is violated, satisfy the implication 
condition (ip R A ipttp) => P>o trivially. The interesting case are those traces that satisfy 
ipn A <^ttp but violate ipo- These are exactly the traces where O does not have EOR^ , 
since has not been received. We have the following cases that lead to a contradiction: 

• Case (a). O' has sent 7773. In these traces, since O' satisfies the AGS constraints on 
O, the only choice of moves for O' are l or r^; she can wait for R to send 777,4 or 
resolve the protocol. In the set of traces where she eventually receives 7714, by Case 1, 
the traces satisfy (ip-n A </Jttp) => V?o- If she does not receive 7714, she will eventually 
resolve the protocol to satisfy ipo . In the set of traces where she eventually resolves 
the protocol, since <^ttp is satisfied, and R cannot abort the protocol, the TTP will 
eventually respond to her request by sending her non-repudiation evidence and not 
the abort token. These traces therefore satisfy ipo, leading to a contradiction. 

• Case (b). U aborts the protocol before sending 7773. Since O' satisfies the AGS con- 
straints on O, she cannot abort the protocol in the initial state vq. Therefore, O' 
must have started the protocol by sending mi. In all these traces, O' aborts the 
protocol after sending mi but before sending m.3 and since O' satisfies the AGS 
constraints on O, she will not send 777,3 after sending the abort request. Since these 
traces satisfy <pttp, the abort token must have been sent to both agents, and since 
neither agent will be sent the other's signature and the channels between the agents 
and the TTP are resilient, the traces satisfy i^o, leading to a contradiction. 

• Case (c). Cl resolves the protocol before sending 7713. In these traces, since v?ttp is 
true, the TTP sends EORj TP to O and EOOj TP to R and never sends either AO 
or AR. This implies, given the channel between the agents and the TTP is resilient, 
the traces satisfy ipo , leading to a contradiction. 

• Case (d). d chooses move l instead of sending 777,3. I n these traces, since </?r is true, 
R must have resolved the protocol after receiving mi. In this case, given the traces 
satisfy i/Jttp, by the above argument tpo is satisfied as well. This again leads to a 
contradiction. 

• Case (e). The channel between and R is unreliable. If either mi or 7712 are not 
delivered, then O' can abort the protocol. If either 777,3 or 777,4 are not delivered, then 
O' can resolve the protocol. In either case, by Case (a), Case (b) and Case (c), we 
have ipo is satisfied even when the channel between O and R is unreliable, leading 
to a contradiction. 

We conclude that for all O' that satisfy the AGS constraints on O, we have [O' || R || TTP || 
Sc] C (ip R A vttp) => Po- 

For assertion 2, consider an arbitrary refinement O' X O that does not satisfy the AGS 
constraints on O. We consider violation of the constraints on a case by case basis. For each 
case we produce a witness trace that violates the implication condition (</?r A <£>ttp) Po- 
Wc proceed as follows: 



— Case 1. af G Po 1 (t>o). In a trace where O' sends an abort request before sending message 
mi in the initial protocol state vq, it is trivially the case that the trace does not satisfy ipo 
but satisfies <£>r. If the TTP satisfies the AGS constraints on the TTP and sends [a®, a^] 
in response, then the trace satisfies </?ttp- Therefore, the trace violates (</?r A pttp) 

— Case 2. EOO^ G 2~o' (Mi , EOO, ABR°). To produce a witness trace we consider a partial 
trace that ends in protocol state {Mi, EOO, ABR°}; messages mi and rri2 have been 
received and has been sent. Since the channel between O and the TTP is resilient, 
the abort request is eventually processed by the TTP. If O' sends message m 3 in this 
state and the TTP responds with move [a^a^ 1 ] to her abort request, then there exists 
a behavior of the channel between O and R such that m.3 is eventually delivered and 
the protocol is aborted. The trace therefore satisfies <pn A <pttp but violates ipo] as O 
cannot get R's signature after the protocol is aborted and R has her signature. 

— Case 3. a® G Po' (M\ , EOO, M3) . To produce a witness trace we consider a partial trace 
that ends in protocol state {Mi, EOO, M3}; messages mi and mi have been received 
and 777,3 has been sent. If O' aborts the protocol in this state and the TTP satisfies 
the AGS constraints on the TTP and responds with move [a§ , a^) , then there exists a 
behavior of the channel between O and R, where 7713 is eventually delivered to R. The 
trace satisfies (/jr A </?ttp but violates ipo ■ 

We conclude that if O' docs not satisfy the AGS constraints on O, then [O' || R || TTP || 
Sc] % (ipn A ifTTp) ipo. ■ 
From Lemma 5, it is both necessary and sufficient that O satisfies the AGS constraints 
on O to ensure the implication condition (8). 

The maximal refinement P* = (O*, R*, TTP*). We recall the definition of the maximal 
refinement P* = (0*,R*,TTP*) below: 

1. O* if! O satisfies the AGS constraints on O and for all O' that satisfy the constraints, 
we have O' ^ O*; 

2. R* = R; and 

3. TTP* ^ TTP satisfies the AGS constraints on the TTP and for all TTP' that satisfy 
the constraints, we have TTP' ^ TTP*. 

The weak co-synthesis requirement. Let b G N be a bound on the number of times that 
O or the TTP may choose the idle move t when scheduled by Sc. In the following lemma, 
for all refinements P' < P* that satisfy the AGS constraints on the TTP, in assertion 1 wc 
show that if b is finite, then the condition for weak co-synthesis is satisfied; in assertion 2 
we show that if b is unbounded, then the condition for weak co-synthesis is violated. 

Lemma 6 (Bounded idle time lemma) For all refinements P' = (0',R', TTP 1 ) -< P* 
that satisfy the AGS constraints on the TTP, for all b G N with O 1 and TTP 1 choosing at 
most b idle moves when scheduled by Sc, the following assertions hold: 

1. ifb is finite, then [C || R' || TTP 1 \\ Sc] C (tp A^A pttp)- 

2. ifb is unbounded, then {O 1 || R' || TTP" || Sc] % (cp A ipa A <pttp)- 

Proof For the first assertion, we show that the condition for weak co-synthesis holds against 
all possible behaviors of the channel between O and R. We have the following cases: 

— Case 1. Agents abort or resolve the protocol. In all traces where the agents abort or 
resolve the protocol, given b is finite and that TTP' satisfies the AGS constraints on 



the TTP, by Lemma 1 (assertion 1), TTP' will eventually respond to the first and all 
subsequent requests such that <^ttp is satisfied. In all these traces, given the channels 
between the agents and the TTP are resilient, both agents get either the abort token or 
non-repudiation evidences but never both. This ensures ipo and </>r are satisfied. 

— Case 2. The channel between O and R is resilient. In all traces where neither agent aborts 
nor resolves the protocol, </?ttp is satisfied trivially. Further, the only refinements of the 
agents that neither abort nor resolve the protocol are those where {777,1,7713} £ Moves o' 
and {7772, "7,4} £ MovesR/. Since b is finite, the only choice of moves for O', since she 
does not abort or resolve the protocol, are m 1 in state v and 7773 in state {M^EOR}, 
after choosing at most b idle moves at each state. Similarly, the only choice of moves 
for R' are 1 or 777 2 in state {EOO} and l or 7774 in state {EOO, M 2 , EOO° }. If R' never 
sends 7712, then O' will eventually abort the protocol after bounded idle time and this case 
reduces to Case 1. If R' never sends 7774, then O' will eventually resolve the protocol after 
bounded idle time and this case reduces to Case 1. If R' sends 777 2 and 777,4 eventually, 
since the channel between O and R is assumed resilient, messages mi, 777,2, "73 and 777,4 
are eventually delivered satisfying ipo and <^r. 

— Case 3. The channel between and R is unreliable. Since O' < O* , we have a® $ -To'^o) 
and of ^ -To' ({Mi, EOR, M3}); O' can abort the protocol in all other states. Therefore, 
O' satisfies the AGS constraints on O. Since b is finite and O' cannot resolve the protocol 
before initiating it, the only choice of moves for O' in state vq is to send mi eventually. 
If the channel between O and R does not deliver either messages mi or 7772, the only 
choice of moves for O' is to abort the protocol. If either messages 7773 or 7774 are not 
delivered, then the only choice of moves for O' is to resolve the protocol. In both these 
cases, since O' chooses to abort or resolve the protocol, by Case 1 the result follows. 

We conclude that irrespective of the behavior of the channel between O and R, if b is finite, 
we have [O' || R' || TTP' || Sc] C (p A ip n A <^ttp)- 

For the second assertion, given an unbounded 6, to show that weak co-synthesis fails, it 
suffices to show that there exists a behavior of the agents, the TTP and the channels that 
violates the condition for weak co-synthesis. Consider a partial trace ending in protocol state 
{Mi , EOO, M 2 , EOR, M 3 , EOO^ , RES° } ; messages mi, 7772 and 7773 have been received, R 
chooses to go idle, never sending 777,4 and O' has sent rp . Since b is unbounded, if TTP' 
chooses to remain idle forever, then ipo and pttp are violated leading to a violation of 
(ipo A <pr A ifiTTp)- Therefore, given an unbounded b, we have [O* || R* || TTP* || Sc] % 
((po Avr A(/?ttp)- ■ 

From Lemma 6, it is both necessary and sufficient that the refinements P' ^ P* that 
satisfy the AGS constraints on the TTP, also satisfy bounded idle time to ensure weak co- 
synthesis. While O and the TTP should satisfy bounded idle time, there are no restrictions 
on R. Using Lemma 1, Lemma 4, Lemma 5 and Lemma 6 we now present a proof of Lemma 2. 

Proof (Proof of Lemma 2). In one direction, consider an arbitrary refinement P' = 
(O', R', TTP') £ P. We show that the conditions of assume-guarantee synthesis are satisfied 
as follows: 

— The implication condition for O. Since P' -< P*, we have O' -< O*, R' ^ R* and 
TTP' ^ TTP*. As a? £ r o *{v ) and a? £ r « (Mi,EOR, M 3 ), the refinement P' 
satisfies the AGS constraints on O. Therefore, by Lemma 5 (assertion 1), we have [O' || 
R || TTP || Sc] C ( m A ^ttp) Po- 

— The implication condition for R. By Lemma 4, we have [O || R' || TTP || Sc] C (1^0 A 
^ttp) => <*2R- 



— The implication condition for the TTP. Since TTP' < TTP* and TTP' satisfies the 
AGS constraints on the TTP, by Lemma 1 (assertion 1), (^ttp is satisfied irrespective 
of the behavior of O and R, which implies [O || R || TTP' || Sc] C (ip Q A tpn) => ^ttp- 

— The weak co-synthesis condition. Given P' satisfies bounded idle time, by Lemma 6 we 
have [O' || R' || TTP' || Sc] C (<p Q Aip R A </?ttp); weak co-synthesis holds. 

Since we have shown that the refinement P' satisfies all the implication conditions and 
the weak co-synthesis condition of assume-guarantee synthesis, we have P' £ Pags- Hence 
P C P AGS . 

In the other direction, consider an arbitrary refinement P" = (0",R",TTP") £ Pags- 
We show that P" £ P as follows: 

— The AGS constraints on O. By Lemma 5, since it is both necessary and sufficient that a 
refinement satisfy the AGS constraints on O to ensure the implication condition (<pn A 
¥>ttp) => fo is satisfied, given the implication condition holds, we conclude that P" 
satisfies the AGS constraints on O. Therefore, O" ^ O*. 

— The AGS constraints on the TTP. By Lemma 1, since it is both necessary and sufficient 
that a refinement satisfy the AGS constraints on the TTP to ensure the implication 
condition (ipo A </?r) => </2ttp is satisfied, given the implication condition holds, we 
conclude that P" satisfies the AGS constraints on the TTP and TTP" ^ TTP*. 

— The bounded idle time condition. By Lemma 6, since it is both necessary and sufficient 
that a refinement satisfy bounded idle time to ensure weak co-synthesis, since weak 
co-synthesis holds in this case, we conclude that P" satisfies bounded idle time. 

— P" <P*. Since we have shown that O" < O* and TTP" < TTP*, we have P" < P*. 

— P» < P" . Since P* is the smallest refinement in the set Pags> given P" £ Pags, it must 
be the case that P* ^ P". 

For P" £ PagSi as we have shown that P* ^ P" ;< P*, P" satisfies the AGS constraints on 
the TTP and satisfies bounded idle time. Thus we have P" £ P and hence Pags £ P. The 
result follows. ■ 
We now present a proof of Lemma 3. We recall the enhanced AGS constraints on the 
TTP below: 

1. Abort constraint. If the first request received by the TTP is af, then her response to 
that request should be [a^a^]; If the first request received by the TTP is af, then her 
response to that request should be req°; 

2. Resolve constraint. If the first request received by the TTP is a resolve request, then 
her response to that request should be [r® , r%] ; If the TTP receives res in response to 
req within bounded idle time, then her response should be [r® , r^] , otherwise it should 
be[4\af-]. 

3. Accountability constraint. If the first response from the TTP is [x, y] or the first response 
from the TTP is req and the next response is [x,y], then for all subsequent abort or 
resolve requests her response should be in the set {i, x, y, [x,y]}. 

Proof (Proof of Lemma 3). From Protocol 2, since the refinement O s does not abort the 
protocol either in the initial state vq or after sending message 7713, we have O s satisfies the 
AGS constraints on O. By our definition of the behavior of TTP S , we have TTP S satisfies 
the enhanced AGS constraints on the TTP. From the definition of the main protocol in 
Protocol 2 and the abort subprotocol in Protocol 3, since the resolve subprotocol is identical 
to the KM protocol, we have O s and TTP S satisfy the bounded idle time requirement. We 
take A = {O, R, TTP} and show that there is no F-attack for Y C {O, R} through the 
following cases: 



- Case 1. \Y\ = 2. In this case Y = {0,R}. We show that [O j| R || TTP S || Sc] C ^ TTP . 
For all traces in [O || R || TTP S || Sc] where R does not abort the protocol, since TTP S 
satisfies the enhanced AGS constraints on the TTP, by Lemma 1 (assertion 1), </?ttp 
is satisfied. For all traces where R sends an abort request, the TTP sends req . If O 
responds with res within bounded idle time, then the TTP resolves the protocol for 
both O and R such that the AGS constraints on the TTP are satisfied. If O does not 
send res° within bounded idle time, then the TTP aborts the protocol, such that the 
AGS constraints on the TTP are satisfied. For all subsequent abort requests from R, 
the TTP response satisfies the AGS constraints on the TTP. All traces therefore satisfy 
9?ttp- Hence, there is no K-attack in this case. 

- Case 2. \Y\ = 1. In this case, either Y = {0} or Y = {R}. We have the following cases 
towards the proof: 

• Case (a). Y = {O}. We show that [O || R s || TTP || Sc] C (ip A ^ttp) <Pn; it 
will follow that [O || R s || TTP S || Sc] C (tp A <£ttp) =>■ <Pr. Consider the set of 
traces in [O || R s || TTP || Sc]. For all traces where R does not abort the protocol, by 
Lemma 4, wc have <po A^ttp =^ <PR- For all traces where R aborts the protocol, if he 
has received , then ipn is satisfied. For all traces where R aborts the protocol and 
message 7713 has not been received, if </?ttp is violated, then the implication holds 
and if <^ttp is satisfied, then cither both agents get abort tokens or their respective 
non- repudiation evidences, thus satisfying ipn. We have shown that all traces satisfy 
the implication condition ipo A^ttp => fn- Since we have a fixed TTP that satisfies 
the AGS constraints on the TTP, we have </?ttp is satisfied in all traces by Case 
1. As tpo is satisfied by assumption, we conclude ipn is satisfied as well. Therefore, 
there is no F-attack in this case. 

• Case (b). Y = {R}. It can be shown that [O s || R || TTP || Sc] % (vrA^ttp) => Po- 
We show that, by fixing the TTP, wc have [O s || R || TTP S || Sc] C (<^ R A <^ T tp) 
ipo- Consider the set of traces [O s || R || TTP S || Sc]. For all traces where R does 
not abort the protocol, since O satisfies the AGS constraints on O, by Lemma 5, 
we have (ips. A ^ttp) => fo- If R aborts the protocol, since the TTP satisfies the 
enhanced AGS constraints on the TTP, and the channel between O and the TTP 
is operational, req° must have been received by O. At this stage, if O s has sent 
message m.3, then the only choice of moves for O s to satisfy ipo is res°; a request 
to resolve the protocol. Since the channels are operational, there exists a bound on 
the idle time of the TTP such that both req° and res° can be delivered within 
this bound. Moreover, as TTP S satisfies the enhanced AGS constraints on the TTP, 
both O and R will be issued non-repudiation evidences and never abort tokens, thus 
satisfying ipo- If O s has not sent message m 3 , then the only choice of moves for O s 
to satisfy <po are 1 or res° . In all these traces, since TTP S satisfies bounded idle 
time and the AGS constraints on the TTP, either both agents get non-repudiation 
evidences or abort tokens but never both, thus satisfying ipo. Therefore, all these 
traces satisfy (c^r A </?ttp) fo, which given ipn is satisfied by assumption and 
ifTTP is satisfied by Case 1, implies (po is satisfied as well. There is no y-attack in 
this case. 

- Case 2. \Y\ = 0. In this case Y = and (A \ Y)' = {O s , R s , TTP S }. Since P s satisfies 
bounded idle time, in all traces where R does not abort the protocol, by Lemma 6, the 
condition for weak co-synthesis is satisfied. In all traces where R aborts the protocol, as 
TTP S satisfies the AGS constraints on the TTP, she sends req° . In all these traces, since 
TTP S and O s satisfy bounded idle time, and the channels are operational, O s chooses 1 
or sends res and TTP S responds with either abort tokens or non-repudiation evidences 



but not both, leading to the satisfaction of ipo and v?r. Since ifiTTP is satisfied by Case 
1, all these traces satisfy {ipo A ips. A </?ttp)- Therefore, there is no F-attack in this case. 

The result follows. ■ 

Proof (Proof of Theorem 8). By Lemma 3, it follows that if the TTP does not change 
her behavior, then P s is attack-free. Further, by the weak co-synthesis condition, we have 
[O s || R s || TTP S || Sc] C (ip A ip R A f TT p) and hence by Theorem 1, we have [O s || R s || 
TTP S || Sc] C Lff. Thus P s satisfies fairness. Using PCS we ensure abuse-freeness. Since 
[O s || R s || TTP S || Sc] n (ONRO A ONRR) ^ 0, the refinement P s enables an exchange of 
signatures and hence is an exchange protocol. We conclude that if the TTP does not change 
her behavior, then P s is an attack-free fair non-repudiation protocol. ■ 



